diff --git a/tests/all-config-demo-industrial-edge-factory.expected.yaml b/tests/all-config-demo-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 3f45295a..00000000
--- a/tests/all-config-demo-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
----
-# Source: config-demo/templates/config-demo-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-demo-configmap
-  labels:
-    app.kubernetes.io/instance: config-demo
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-            <title>Config Demo</title>
-        </head>
-          <body>
-            <h1>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h1>
-            <h2>
-            The secret is <a href="/secret/secret">secret</a>
-            </h2>
-          </body>
-      </html>
----
-# Source: config-demo/templates/config-demo-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: config-demo
-    deploymentconfig: config-demo
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: config-demo/templates/config-demo-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: config-demo
-  name: config-demo
-spec:
-  replicas: 2
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: config-demo
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: config-demo
-        deploymentconfig: config-demo
-      name: config-demo
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: config-demo-configmap
-        - mountPath: /var/www/html/secret
-          readOnly: true
-          name: config-demo-secret
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: config-demo-configmap
-        configMap:
-          defaultMode: 438
-          name: config-demo-configmap
-      - name: config-demo-secret
-        secret:
-          secretName: config-demo-secret
----
-# Source: config-demo/templates/config-demo-external-secret.yaml
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: config-demo-secret
-  namespace: config-demo
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: config-demo-secret
-    template:
-      type: Opaque
-  dataFrom:
-  - extract:
-      key: secret/data/global/config-demo
----
-# Source: config-demo/templates/config-demo-is.yaml
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  name: config-demo
-spec:
-  lookupPolicy:
-    local: true
-  tags:
-  - name: registry.access.redhat.com/ubi8/httpd-24
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-# Source: config-demo/templates/config-demo-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: config-demo
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-config-demo-industrial-edge-hub.expected.yaml b/tests/all-config-demo-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 3f45295a..00000000
--- a/tests/all-config-demo-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
----
-# Source: config-demo/templates/config-demo-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-demo-configmap
-  labels:
-    app.kubernetes.io/instance: config-demo
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-            <title>Config Demo</title>
-        </head>
-          <body>
-            <h1>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h1>
-            <h2>
-            The secret is <a href="/secret/secret">secret</a>
-            </h2>
-          </body>
-      </html>
----
-# Source: config-demo/templates/config-demo-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: config-demo
-    deploymentconfig: config-demo
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: config-demo/templates/config-demo-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: config-demo
-  name: config-demo
-spec:
-  replicas: 2
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: config-demo
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: config-demo
-        deploymentconfig: config-demo
-      name: config-demo
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: config-demo-configmap
-        - mountPath: /var/www/html/secret
-          readOnly: true
-          name: config-demo-secret
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: config-demo-configmap
-        configMap:
-          defaultMode: 438
-          name: config-demo-configmap
-      - name: config-demo-secret
-        secret:
-          secretName: config-demo-secret
----
-# Source: config-demo/templates/config-demo-external-secret.yaml
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: config-demo-secret
-  namespace: config-demo
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: config-demo-secret
-    template:
-      type: Opaque
-  dataFrom:
-  - extract:
-      key: secret/data/global/config-demo
----
-# Source: config-demo/templates/config-demo-is.yaml
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  name: config-demo
-spec:
-  lookupPolicy:
-    local: true
-  tags:
-  - name: registry.access.redhat.com/ubi8/httpd-24
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-# Source: config-demo/templates/config-demo-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: config-demo
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-config-demo-medical-diagnosis-hub.expected.yaml b/tests/all-config-demo-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 3f45295a..00000000
--- a/tests/all-config-demo-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
----
-# Source: config-demo/templates/config-demo-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-demo-configmap
-  labels:
-    app.kubernetes.io/instance: config-demo
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-            <title>Config Demo</title>
-        </head>
-          <body>
-            <h1>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h1>
-            <h2>
-            The secret is <a href="/secret/secret">secret</a>
-            </h2>
-          </body>
-      </html>
----
-# Source: config-demo/templates/config-demo-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: config-demo
-    deploymentconfig: config-demo
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: config-demo/templates/config-demo-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: config-demo
-  name: config-demo
-spec:
-  replicas: 2
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: config-demo
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: config-demo
-        deploymentconfig: config-demo
-      name: config-demo
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: config-demo-configmap
-        - mountPath: /var/www/html/secret
-          readOnly: true
-          name: config-demo-secret
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: config-demo-configmap
-        configMap:
-          defaultMode: 438
-          name: config-demo-configmap
-      - name: config-demo-secret
-        secret:
-          secretName: config-demo-secret
----
-# Source: config-demo/templates/config-demo-external-secret.yaml
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: config-demo-secret
-  namespace: config-demo
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: config-demo-secret
-    template:
-      type: Opaque
-  dataFrom:
-  - extract:
-      key: secret/data/global/config-demo
----
-# Source: config-demo/templates/config-demo-is.yaml
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  name: config-demo
-spec:
-  lookupPolicy:
-    local: true
-  tags:
-  - name: registry.access.redhat.com/ubi8/httpd-24
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-# Source: config-demo/templates/config-demo-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: config-demo
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-config-demo-naked.expected.yaml b/tests/all-config-demo-naked.expected.yaml
deleted file mode 100644
index 8887a3ba..00000000
--- a/tests/all-config-demo-naked.expected.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
----
-# Source: config-demo/templates/config-demo-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-demo-configmap
-  labels:
-    app.kubernetes.io/instance: config-demo
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-            <title>Config Demo</title>
-        </head>
-          <body>
-            <h1>
-            Hub Cluster domain is 'hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'region-one.example.com' <br>
-            </h1>
-            <h2>
-            The secret is <a href="/secret/secret">secret</a>
-            </h2>
-          </body>
-      </html>
----
-# Source: config-demo/templates/config-demo-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: config-demo
-    deploymentconfig: config-demo
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: config-demo/templates/config-demo-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: config-demo
-  name: config-demo
-spec:
-  replicas: 2
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: config-demo
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: config-demo
-        deploymentconfig: config-demo
-      name: config-demo
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: config-demo-configmap
-        - mountPath: /var/www/html/secret
-          readOnly: true
-          name: config-demo-secret
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: config-demo-configmap
-        configMap:
-          defaultMode: 438
-          name: config-demo-configmap
-      - name: config-demo-secret
-        secret:
-          secretName: config-demo-secret
----
-# Source: config-demo/templates/config-demo-external-secret.yaml
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: config-demo-secret
-  namespace: config-demo
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: config-demo-secret
-    template:
-      type: Opaque
-  dataFrom:
-  - extract:
-      key: secret/data/global/config-demo
----
-# Source: config-demo/templates/config-demo-is.yaml
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  name: config-demo
-spec:
-  lookupPolicy:
-    local: true
-  tags:
-  - name: registry.access.redhat.com/ubi8/httpd-24
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-# Source: config-demo/templates/config-demo-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: config-demo
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-config-demo-normal.expected.yaml b/tests/all-config-demo-normal.expected.yaml
deleted file mode 100644
index 3f45295a..00000000
--- a/tests/all-config-demo-normal.expected.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
----
-# Source: config-demo/templates/config-demo-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-demo-configmap
-  labels:
-    app.kubernetes.io/instance: config-demo
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-            <title>Config Demo</title>
-        </head>
-          <body>
-            <h1>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h1>
-            <h2>
-            The secret is <a href="/secret/secret">secret</a>
-            </h2>
-          </body>
-      </html>
----
-# Source: config-demo/templates/config-demo-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: config-demo
-    deploymentconfig: config-demo
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: config-demo/templates/config-demo-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: config-demo
-  name: config-demo
-spec:
-  replicas: 2
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: config-demo
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: config-demo
-        deploymentconfig: config-demo
-      name: config-demo
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: config-demo-configmap
-        - mountPath: /var/www/html/secret
-          readOnly: true
-          name: config-demo-secret
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: config-demo-configmap
-        configMap:
-          defaultMode: 438
-          name: config-demo-configmap
-      - name: config-demo-secret
-        secret:
-          secretName: config-demo-secret
----
-# Source: config-demo/templates/config-demo-external-secret.yaml
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: config-demo-secret
-  namespace: config-demo
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: config-demo-secret
-    template:
-      type: Opaque
-  dataFrom:
-  - extract:
-      key: secret/data/global/config-demo
----
-# Source: config-demo/templates/config-demo-is.yaml
-apiVersion: image.openshift.io/v1
-kind: ImageStream
-metadata:
-  name: config-demo
-spec:
-  lookupPolicy:
-    local: true
-  tags:
-  - name: registry.access.redhat.com/ubi8/httpd-24
-    importPolicy: {}
-    referencePolicy:
-      type: Local
----
-# Source: config-demo/templates/config-demo-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: config-demo
-  name: config-demo
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: config-demo
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-hello-world-industrial-edge-factory.expected.yaml b/tests/all-hello-world-industrial-edge-factory.expected.yaml
deleted file mode 100644
index daade8e6..00000000
--- a/tests/all-hello-world-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-# Source: hello-world/templates/hello-world-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hello-world-configmap
-  labels:
-    app.kubernetes.io/instance: hello-world
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-          <title>Hello World</title>
-        </head>
-          <body>
-            <h1>Hello World!</h1>
-            <br/>
-            <h2>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h2>
-          </body>
-      </html>
----
-# Source: hello-world/templates/hello-world-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: hello-world
-    deploymentconfig: hello-world
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: hello-world/templates/hello-world-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: hello-world
-  name: hello-world
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-        deploymentconfig: hello-world
-      name: hello-world
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: hello-world-configmap
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: hello-world-configmap
-        configMap:
-          defaultMode: 438
-          name: hello-world-configmap
----
-# Source: hello-world/templates/hello-world-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: hello-world
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-hello-world-industrial-edge-hub.expected.yaml b/tests/all-hello-world-industrial-edge-hub.expected.yaml
deleted file mode 100644
index daade8e6..00000000
--- a/tests/all-hello-world-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-# Source: hello-world/templates/hello-world-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hello-world-configmap
-  labels:
-    app.kubernetes.io/instance: hello-world
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-          <title>Hello World</title>
-        </head>
-          <body>
-            <h1>Hello World!</h1>
-            <br/>
-            <h2>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h2>
-          </body>
-      </html>
----
-# Source: hello-world/templates/hello-world-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: hello-world
-    deploymentconfig: hello-world
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: hello-world/templates/hello-world-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: hello-world
-  name: hello-world
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-        deploymentconfig: hello-world
-      name: hello-world
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: hello-world-configmap
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: hello-world-configmap
-        configMap:
-          defaultMode: 438
-          name: hello-world-configmap
----
-# Source: hello-world/templates/hello-world-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: hello-world
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-hello-world-medical-diagnosis-hub.expected.yaml b/tests/all-hello-world-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index daade8e6..00000000
--- a/tests/all-hello-world-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-# Source: hello-world/templates/hello-world-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hello-world-configmap
-  labels:
-    app.kubernetes.io/instance: hello-world
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-          <title>Hello World</title>
-        </head>
-          <body>
-            <h1>Hello World!</h1>
-            <br/>
-            <h2>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h2>
-          </body>
-      </html>
----
-# Source: hello-world/templates/hello-world-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: hello-world
-    deploymentconfig: hello-world
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: hello-world/templates/hello-world-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: hello-world
-  name: hello-world
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-        deploymentconfig: hello-world
-      name: hello-world
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: hello-world-configmap
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: hello-world-configmap
-        configMap:
-          defaultMode: 438
-          name: hello-world-configmap
----
-# Source: hello-world/templates/hello-world-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: hello-world
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-hello-world-naked.expected.yaml b/tests/all-hello-world-naked.expected.yaml
deleted file mode 100644
index 4fc914cf..00000000
--- a/tests/all-hello-world-naked.expected.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-# Source: hello-world/templates/hello-world-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hello-world-configmap
-  labels:
-    app.kubernetes.io/instance: hello-world
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-          <title>Hello World</title>
-        </head>
-          <body>
-            <h1>Hello World!</h1>
-            <br/>
-            <h2>
-            Hub Cluster domain is 'hub.example.com' <br>
-            Pod is running on Local Cluster Domain '' <br>
-            </h2>
-          </body>
-      </html>
----
-# Source: hello-world/templates/hello-world-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: hello-world
-    deploymentconfig: hello-world
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: hello-world/templates/hello-world-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: hello-world
-  name: hello-world
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-        deploymentconfig: hello-world
-      name: hello-world
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: hello-world-configmap
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: hello-world-configmap
-        configMap:
-          defaultMode: 438
-          name: hello-world-configmap
----
-# Source: hello-world/templates/hello-world-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: hello-world
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/all-hello-world-normal.expected.yaml b/tests/all-hello-world-normal.expected.yaml
deleted file mode 100644
index daade8e6..00000000
--- a/tests/all-hello-world-normal.expected.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-# Source: hello-world/templates/hello-world-cm.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hello-world-configmap
-  labels:
-    app.kubernetes.io/instance: hello-world
-data:
-  "index.html": |-
-    <!DOCTYPE html>
-      <html lang="en">
-        <head>
-          <meta charset="utf-8">
-          <title>Hello World</title>
-        </head>
-          <body>
-            <h1>Hello World!</h1>
-            <br/>
-            <h2>
-            Hub Cluster domain is 'apps.hub.example.com' <br>
-            Pod is running on Local Cluster Domain 'apps.region.example.com' <br>
-            </h2>
-          </body>
-      </html>
----
-# Source: hello-world/templates/hello-world-svc.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  ports:
-  - name: 8080-tcp
-    port: 8080
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: hello-world
-    deploymentconfig: hello-world
-  sessionAffinity: None
-  type: ClusterIP
----
-# Source: hello-world/templates/hello-world-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: hello-world
-  name: hello-world
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      deploymentconfig: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-        deploymentconfig: hello-world
-      name: hello-world
-    spec:
-      containers:
-      - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
-        #imagePullPolicy: Always
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /var/www/html
-          name: hello-world-configmap
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /index.html
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 5
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-      volumes:
-      - name: hello-world-configmap
-        configMap:
-          defaultMode: 438
-          name: hello-world-configmap
----
-# Source: hello-world/templates/hello-world-route.yaml
-apiVersion: route.openshift.io/v1
-kind: Route
-metadata:
-  labels:
-    app: hello-world
-  name: hello-world
-spec:
-  port:
-    targetPort: 8080-tcp
-  to:
-    kind: Service
-    name: hello-world
-    weight: 100
-  wildcardPolicy: None
diff --git a/tests/common-acm-industrial-edge-factory.expected.yaml b/tests/common-acm-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 94c8254f..00000000
--- a/tests/common-acm-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,363 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
----
-# Source: acm/templates/policies/private-repo-policies.yaml
-# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
-# to the "open-cluster-management" via the "private-hub-policy"
-#
-# Then we copy the secret from the "open-cluster-management" namespace to the
-# managed clusters "openshift-gitops" instance
-#
-# And we also copy the same secret to the namespaced argo's namespace
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement-argocd
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy-argocd
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.13
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-ca-bundle
-                  namespace: openshift-gitops
-                  labels:
-                    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-# This policy depends on openshift-gitops-policy and the reason is that we need to be
-# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
-# because the initcontainer references the trusted-ca-bundle and if it starts without the
-# configmap being there we risk running an argo instances that won't trust public CAs
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy-argocd
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  dependencies:
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: openshift-gitops-policy
-      namespace: open-cluster-management
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: hub-argo-ca-openshift-gitops-policy
-      namespace: open-cluster-management
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config-argocd
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1beta1
-                kind: ArgoCD
-                metadata:
-                  name: openshift-gitops
-                  namespace: openshift-gitops
-                spec:
-                  applicationSet:
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 512Mi
-                    webhookServer:
-                      ingress:
-                        enabled: false
-                      route:
-                        enabled: false
-                  controller:
-                    processors: {}
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 2Gi
-                      requests:
-                        cpu: 250m
-                        memory: 1Gi
-                    sharding: {}
-                  grafana:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                    route:
-                      enabled: false
-                  ha:
-                    enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  initialSSHKnownHosts: {}
-                  monitoring:
-                    enabled: false
-                  notifications:
-                    enabled: false
-                  prometheus:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    route:
-                      enabled: false
-                  rbac:
-                    defaultPolicy: ""
-                    policy: |-
-                      g, system:cluster-admins, role:admin
-                      g, cluster-admins, role:admin
-                    scopes: '[groups]'
-                  redis:
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  repo:
-                    initContainers:
-                    - command:
-                      - bash
-                      - -c
-                      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
-                        || true
-                      image: registry.redhat.io/ubi9/ubi-minimal:latest
-                      name: fetch-ca
-                      resources: {}
-                      volumeMounts:
-                      - mountPath: /var/run/kube-root-ca
-                        name: kube-root-ca
-                      - mountPath: /var/run/trusted-ca
-                        name: trusted-ca-bundle
-                      - mountPath: /var/run/trusted-hub
-                        name: trusted-hub-bundle
-                      - mountPath: /tmp/ca-bundles
-                        name: ca-bundles
-                    resources:
-                      limits:
-                        cpu: "1"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 256Mi
-                    volumeMounts:
-                    - mountPath: /etc/pki/tls/certs
-                      name: ca-bundles
-                    volumes:
-                    - configMap:
-                        name: kube-root-ca.crt
-                      name: kube-root-ca
-                    - configMap:
-                        name: trusted-ca-bundle
-                        optional: true
-                      name: trusted-ca-bundle
-                    - configMap:
-                        name: trusted-hub-bundle
-                        optional: true
-                      name: trusted-hub-bundle
-                    - emptyDir: {}
-                      name: ca-bundles
-                  resourceExclusions: |-
-                    - apiGroups:
-                      - tekton.dev
-                      clusters:
-                      - '*'
-                      kinds:
-                      - TaskRun
-                      - PipelineRun
-                  server:
-                    autoscale:
-                      enabled: false
-                    grpc:
-                      ingress:
-                        enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 125m
-                        memory: 128Mi
-                    route:
-                      enabled: true
-                    service:
-                      type: ""
-                  sso:
-                    dex:
-                      openShiftOAuth: true
-                      resources:
-                        limits:
-                          cpu: 500m
-                          memory: 256Mi
-                        requests:
-                          cpu: 250m
-                          memory: 128Mi
-                    provider: dex
-                  tls:
-                    ca: {}
diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 00cf4e4d..00000000
--- a/tests/common-acm-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,733 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/private-repo-policies.yaml
-# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
-# to the "open-cluster-management" via the "private-hub-policy"
-#
-# Then we copy the secret from the "open-cluster-management" namespace to the
-# managed clusters "openshift-gitops" instance
-#
-# And we also copy the same secret to the namespaced argo's namespace
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-factory-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-factory-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-factory-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: factory-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: factory-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: factory-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement-argocd
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy-argocd
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-factory-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: factory-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector: {
-  "matchExpressions": [
-    {
-      "key": "vendor",
-      "operator": "In",
-      "values": [
-        "OpenShift"
-      ]
-    }
-  ],
-  "matchLabels": {
-    "clusterGroup": "factory"
-  }
-}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: golang-external-secrets
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: openshift-gitops
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-factory-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-factory-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: mypattern-factory
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: factory-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: factory-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-factory
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      values: |
-                        extraParametersNested:
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-factory.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: https://github.com/pattern-clone/mypattern
-                      - name: global.targetRevision
-                        value: main
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}'
-                      - name: global.localClusterName
-                        value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}'
-                      - name: global.clusterPlatform
-                        value: aws
-                      - name: global.multiSourceSupport
-                        value: 
-                      - name: global.multiSourceRepoUrl
-                        value: 
-                      - name: global.multiSourceTargetRevision
-                        value: 
-                      - name: global.privateRepo
-                        value: 
-                      - name: global.experimentalCapabilities
-                        value: 
-                      - name: clusterGroup.name
-                        value: factory
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-factory
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.13
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-ca-bundle
-                  namespace: openshift-gitops
-                  labels:
-                    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-# This policy depends on openshift-gitops-policy and the reason is that we need to be
-# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
-# because the initcontainer references the trusted-ca-bundle and if it starts without the
-# configmap being there we risk running an argo instances that won't trust public CAs
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy-argocd
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  dependencies:
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: openshift-gitops-policy
-      namespace: open-cluster-management
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: hub-argo-ca-openshift-gitops-policy
-      namespace: open-cluster-management
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config-argocd
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1beta1
-                kind: ArgoCD
-                metadata:
-                  name: openshift-gitops
-                  namespace: openshift-gitops
-                spec:
-                  applicationSet:
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 512Mi
-                    webhookServer:
-                      ingress:
-                        enabled: false
-                      route:
-                        enabled: false
-                  controller:
-                    processors: {}
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 2Gi
-                      requests:
-                        cpu: 250m
-                        memory: 1Gi
-                    sharding: {}
-                  grafana:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                    route:
-                      enabled: false
-                  ha:
-                    enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  initialSSHKnownHosts: {}
-                  monitoring:
-                    enabled: false
-                  notifications:
-                    enabled: false
-                  prometheus:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    route:
-                      enabled: false
-                  rbac:
-                    defaultPolicy: ""
-                    policy: |-
-                      g, system:cluster-admins, role:admin
-                      g, cluster-admins, role:admin
-                    scopes: '[groups]'
-                  redis:
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  repo:
-                    initContainers:
-                    - command:
-                      - bash
-                      - -c
-                      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
-                        || true
-                      image: registry.redhat.io/ubi9/ubi-minimal:latest
-                      name: fetch-ca
-                      resources: {}
-                      volumeMounts:
-                      - mountPath: /var/run/kube-root-ca
-                        name: kube-root-ca
-                      - mountPath: /var/run/trusted-ca
-                        name: trusted-ca-bundle
-                      - mountPath: /var/run/trusted-hub
-                        name: trusted-hub-bundle
-                      - mountPath: /tmp/ca-bundles
-                        name: ca-bundles
-                    resources:
-                      limits:
-                        cpu: "1"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 256Mi
-                    volumeMounts:
-                    - mountPath: /etc/pki/tls/certs
-                      name: ca-bundles
-                    volumes:
-                    - configMap:
-                        name: kube-root-ca.crt
-                      name: kube-root-ca
-                    - configMap:
-                        name: trusted-ca-bundle
-                        optional: true
-                      name: trusted-ca-bundle
-                    - configMap:
-                        name: trusted-hub-bundle
-                        optional: true
-                      name: trusted-hub-bundle
-                    - emptyDir: {}
-                      name: ca-bundles
-                  resourceExclusions: |-
-                    - apiGroups:
-                      - tekton.dev
-                      clusters:
-                      - '*'
-                      kinds:
-                      - TaskRun
-                      - PipelineRun
-                  server:
-                    autoscale:
-                      enabled: false
-                    grpc:
-                      ingress:
-                        enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 125m
-                        memory: 128Mi
-                    route:
-                      enabled: true
-                    service:
-                      type: ""
-                  sso:
-                    dex:
-                      openShiftOAuth: true
-                      resources:
-                        limits:
-                          cpu: 500m
-                          memory: 256Mi
-                        requests:
-                          cpu: 250m
-                          memory: 128Mi
-                    provider: dex
-                  tls:
-                    ca: {}
diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 5fea58d0..00000000
--- a/tests/common-acm-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,724 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/private-repo-policies.yaml
-# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
-# to the "open-cluster-management" via the "private-hub-policy"
-#
-# Then we copy the secret from the "open-cluster-management" namespace to the
-# managed clusters "openshift-gitops" instance
-#
-# And we also copy the same secret to the namespaced argo's namespace
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-region-one-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-region-one-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-region-one-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: region-one-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: region-one-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: region-one-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement-argocd
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy-argocd
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-region-one-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: region-one-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector: {
-  "matchLabels": {
-    "clusterGroup": "region-one"
-  }
-}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: golang-external-secrets
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: openshift-gitops
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-region-one-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-region-one-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: mypattern-region-one
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: region-one-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: region-one-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-region-one
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      values: |
-                        extraParametersNested:
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-region-one.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: https://github.com/pattern-clone/mypattern
-                      - name: global.targetRevision
-                        value: main
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}'
-                      - name: global.localClusterName
-                        value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}'
-                      - name: global.clusterPlatform
-                        value: aws
-                      - name: global.multiSourceSupport
-                        value: 
-                      - name: global.multiSourceRepoUrl
-                        value: 
-                      - name: global.multiSourceTargetRevision
-                        value: 
-                      - name: global.privateRepo
-                        value: 
-                      - name: global.experimentalCapabilities
-                        value: 
-                      - name: clusterGroup.name
-                        value: region-one
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-region-one
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.13
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-ca-bundle
-                  namespace: openshift-gitops
-                  labels:
-                    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-# This policy depends on openshift-gitops-policy and the reason is that we need to be
-# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
-# because the initcontainer references the trusted-ca-bundle and if it starts without the
-# configmap being there we risk running an argo instances that won't trust public CAs
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy-argocd
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  dependencies:
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: openshift-gitops-policy
-      namespace: open-cluster-management
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: hub-argo-ca-openshift-gitops-policy
-      namespace: open-cluster-management
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config-argocd
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1beta1
-                kind: ArgoCD
-                metadata:
-                  name: openshift-gitops
-                  namespace: openshift-gitops
-                spec:
-                  applicationSet:
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 512Mi
-                    webhookServer:
-                      ingress:
-                        enabled: false
-                      route:
-                        enabled: false
-                  controller:
-                    processors: {}
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 2Gi
-                      requests:
-                        cpu: 250m
-                        memory: 1Gi
-                    sharding: {}
-                  grafana:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                    route:
-                      enabled: false
-                  ha:
-                    enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  initialSSHKnownHosts: {}
-                  monitoring:
-                    enabled: false
-                  notifications:
-                    enabled: false
-                  prometheus:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    route:
-                      enabled: false
-                  rbac:
-                    defaultPolicy: ""
-                    policy: |-
-                      g, system:cluster-admins, role:admin
-                      g, cluster-admins, role:admin
-                    scopes: '[groups]'
-                  redis:
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  repo:
-                    initContainers:
-                    - command:
-                      - bash
-                      - -c
-                      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
-                        || true
-                      image: registry.redhat.io/ubi9/ubi-minimal:latest
-                      name: fetch-ca
-                      resources: {}
-                      volumeMounts:
-                      - mountPath: /var/run/kube-root-ca
-                        name: kube-root-ca
-                      - mountPath: /var/run/trusted-ca
-                        name: trusted-ca-bundle
-                      - mountPath: /var/run/trusted-hub
-                        name: trusted-hub-bundle
-                      - mountPath: /tmp/ca-bundles
-                        name: ca-bundles
-                    resources:
-                      limits:
-                        cpu: "1"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 256Mi
-                    volumeMounts:
-                    - mountPath: /etc/pki/tls/certs
-                      name: ca-bundles
-                    volumes:
-                    - configMap:
-                        name: kube-root-ca.crt
-                      name: kube-root-ca
-                    - configMap:
-                        name: trusted-ca-bundle
-                        optional: true
-                      name: trusted-ca-bundle
-                    - configMap:
-                        name: trusted-hub-bundle
-                        optional: true
-                      name: trusted-hub-bundle
-                    - emptyDir: {}
-                      name: ca-bundles
-                  resourceExclusions: |-
-                    - apiGroups:
-                      - tekton.dev
-                      clusters:
-                      - '*'
-                      kinds:
-                      - TaskRun
-                      - PipelineRun
-                  server:
-                    autoscale:
-                      enabled: false
-                    grpc:
-                      ingress:
-                        enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 125m
-                        memory: 128Mi
-                    route:
-                      enabled: true
-                    service:
-                      type: ""
-                  sso:
-                    dex:
-                      openShiftOAuth: true
-                      resources:
-                        limits:
-                          cpu: 500m
-                          memory: 256Mi
-                        requests:
-                          cpu: 250m
-                          memory: 128Mi
-                    provider: dex
-                  tls:
-                    ca: {}
diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml
deleted file mode 100644
index 94c8254f..00000000
--- a/tests/common-acm-naked.expected.yaml
+++ /dev/null
@@ -1,363 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
----
-# Source: acm/templates/policies/private-repo-policies.yaml
-# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
-# to the "open-cluster-management" via the "private-hub-policy"
-#
-# Then we copy the secret from the "open-cluster-management" namespace to the
-# managed clusters "openshift-gitops" instance
-#
-# And we also copy the same secret to the namespaced argo's namespace
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement-argocd
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy-argocd
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.13
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-ca-bundle
-                  namespace: openshift-gitops
-                  labels:
-                    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-# This policy depends on openshift-gitops-policy and the reason is that we need to be
-# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
-# because the initcontainer references the trusted-ca-bundle and if it starts without the
-# configmap being there we risk running an argo instances that won't trust public CAs
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy-argocd
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  dependencies:
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: openshift-gitops-policy
-      namespace: open-cluster-management
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: hub-argo-ca-openshift-gitops-policy
-      namespace: open-cluster-management
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config-argocd
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1beta1
-                kind: ArgoCD
-                metadata:
-                  name: openshift-gitops
-                  namespace: openshift-gitops
-                spec:
-                  applicationSet:
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 512Mi
-                    webhookServer:
-                      ingress:
-                        enabled: false
-                      route:
-                        enabled: false
-                  controller:
-                    processors: {}
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 2Gi
-                      requests:
-                        cpu: 250m
-                        memory: 1Gi
-                    sharding: {}
-                  grafana:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                    route:
-                      enabled: false
-                  ha:
-                    enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  initialSSHKnownHosts: {}
-                  monitoring:
-                    enabled: false
-                  notifications:
-                    enabled: false
-                  prometheus:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    route:
-                      enabled: false
-                  rbac:
-                    defaultPolicy: ""
-                    policy: |-
-                      g, system:cluster-admins, role:admin
-                      g, cluster-admins, role:admin
-                    scopes: '[groups]'
-                  redis:
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  repo:
-                    initContainers:
-                    - command:
-                      - bash
-                      - -c
-                      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
-                        || true
-                      image: registry.redhat.io/ubi9/ubi-minimal:latest
-                      name: fetch-ca
-                      resources: {}
-                      volumeMounts:
-                      - mountPath: /var/run/kube-root-ca
-                        name: kube-root-ca
-                      - mountPath: /var/run/trusted-ca
-                        name: trusted-ca-bundle
-                      - mountPath: /var/run/trusted-hub
-                        name: trusted-hub-bundle
-                      - mountPath: /tmp/ca-bundles
-                        name: ca-bundles
-                    resources:
-                      limits:
-                        cpu: "1"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 256Mi
-                    volumeMounts:
-                    - mountPath: /etc/pki/tls/certs
-                      name: ca-bundles
-                    volumes:
-                    - configMap:
-                        name: kube-root-ca.crt
-                      name: kube-root-ca
-                    - configMap:
-                        name: trusted-ca-bundle
-                        optional: true
-                      name: trusted-ca-bundle
-                    - configMap:
-                        name: trusted-hub-bundle
-                        optional: true
-                      name: trusted-hub-bundle
-                    - emptyDir: {}
-                      name: ca-bundles
-                  resourceExclusions: |-
-                    - apiGroups:
-                      - tekton.dev
-                      clusters:
-                      - '*'
-                      kinds:
-                      - TaskRun
-                      - PipelineRun
-                  server:
-                    autoscale:
-                      enabled: false
-                    grpc:
-                      ingress:
-                        enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 125m
-                        memory: 128Mi
-                    route:
-                      enabled: true
-                    service:
-                      type: ""
-                  sso:
-                    dex:
-                      openShiftOAuth: true
-                      resources:
-                        limits:
-                          cpu: 500m
-                          memory: 256Mi
-                        requests:
-                          cpu: 250m
-                          memory: 128Mi
-                    provider: dex
-                  tls:
-                    ca: {}
diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml
deleted file mode 100644
index 6823a01b..00000000
--- a/tests/common-acm-normal.expected.yaml
+++ /dev/null
@@ -1,1894 +0,0 @@
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-ap-acm-provision-edge-install-config
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz
-type: Opaque
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: azure-us-acm-provision-edge-install-config
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw==
-type: Opaque
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge-install-config
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLW9uZS13LXBvb2wnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCmNvbXB1dGU6Ci0gaHlwZXJ0aHJlYWRpbmc6IEVuYWJsZWQKICBhcmNoaXRlY3R1cmU6IGFtZDY0CiAgbmFtZTogJ3dvcmtlcicKICByZXBsaWNhczogMwogIHBsYXRmb3JtOgogICAgYXdzOgogICAgICB0eXBlOiBtNS54bGFyZ2UKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTEKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz
-type: Opaque
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLXR3by13by1wb29sJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhd3M6CiAgICByZWdpb246IGFwLXNvdXRoZWFzdC0zCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw==
-type: Opaque
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/private-repo-policies.yaml
-# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
-# to the "open-cluster-management" via the "private-hub-policy"
-#
-# Then we copy the secret from the "open-cluster-management" namespace to the
-# managed clusters "openshift-gitops" instance
-#
-# And we also copy the same secret to the namespaced argo's namespace
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterClaim
-metadata:
-  name: 'two-acm-provision-edge'
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    cluster.open-cluster-management.io/createmanagedcluster: "true"
-  labels:
-    clusterClaimName: two-acm-provision-edge
-    clusterGroup: region
-spec:
-  clusterPoolName: azure-us-acm-provision-edge
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterClaim
-metadata:
-  name: 'three-acm-provision-edge'
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    cluster.open-cluster-management.io/createmanagedcluster: "true"
-  labels:
-    clusterClaimName: three-acm-provision-edge
-    clusterGroup: region
-spec:
-  clusterPoolName: azure-us-acm-provision-edge
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterDeployment
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-  labels:
-    vendor: OpenShift
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  baseDomain: blueprints.rhecoeng.com
-  clusterName: aws-cd-one-w-pool-acm-provision-edge
-  installAttemptsLimit: 1
-  platform:
-    aws:
-      credentialsSecretRef:
-        name: aws-cd-one-w-pool-acm-provision-edge-creds
-      region: ap-southeast-1
-  provisioning:
-    installConfigSecretRef:
-      name: aws-cd-one-w-pool-acm-provision-edge-install-config
-    sshPrivateKeySecretRef:
-      name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key
-    imageSetRef:
-      name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: aws-cd-one-w-pool-acm-provision-edge-pull-secret
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterDeployment
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-  labels:
-    vendor: OpenShift
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  baseDomain: blueprints.rhecoeng.com
-  clusterName: aws-cd-two-wo-pool-acm-provision-on-deploy
-  installAttemptsLimit: 1
-  platform:
-    aws:
-      credentialsSecretRef:
-        name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds
-      region: ap-southeast-3
-  provisioning:
-    installConfigSecretRef:
-      name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config
-    sshPrivateKeySecretRef:
-      name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key
-    imageSetRef:
-      name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterPool
-metadata:
-  name: "aws-ap-acm-provision-edge"
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  labels:
-    cloud: aws
-    region: 'ap-southeast-2'
-    vendor: OpenShift
-    cluster.open-cluster-management.io/clusterset: aws-ap
-spec:
-  size: 3
-  runningCount: 0
-  baseDomain: blueprints.rhecoeng.com
-  installConfigSecretTemplateRef:
-    name: aws-ap-acm-provision-edge-install-config
-  imageSetRef:
-    name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: aws-ap-acm-provision-edge-pull-secret
-  skipMachinePools: true # Disable MachinePool as using custom install-config
-  platform:
-    aws:
-      credentialsSecretRef:
-        name: aws-ap-acm-provision-edge-creds
-      region: ap-southeast-2
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterPool
-metadata:
-  name: "azure-us-acm-provision-edge"
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  labels:
-    cloud: azure
-    region: 'eastus'
-    vendor: OpenShift
-    cluster.open-cluster-management.io/clusterset: azure-us
-spec:
-  size: 2
-  runningCount: 2
-  baseDomain: blueprints.rhecoeng.com
-  installConfigSecretTemplateRef:
-    name: azure-us-acm-provision-edge-install-config
-  imageSetRef:
-    name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: azure-us-acm-provision-edge-pull-secret
-  skipMachinePools: true # Disable MachinePool as using custom install-config
-  platform:
-    azure:
-      credentialsSecretRef:
-        name: azure-us-acm-provision-edge-creds
-      region: eastus
----
-# Source: acm/templates/provision/secrets-aws.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-creds
-spec:
-  dataFrom:
-  - extract:
-      # Expects entries called: aws_access_key_id and aws_secret_access_key
-      key: secret/data/hub/aws
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
----
-# Source: acm/templates/provision/secrets-aws.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-infra-creds
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: awsKeyId
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_access_key_id
-  - secretKey: awsAccessKey
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_secret_access_key
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        baseDomain: "blueprints.rhecoeng.com"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        aws_access_key_id: |-
-          {{ .awsKeyId | toString }}
-        aws_secret_access_key: |-
-          {{ .awsAccessKey | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-aws.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge-creds
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-spec:
-  dataFrom:
-  - extract:
-      # Expects entries called: aws_access_key_id and aws_secret_access_key
-      key: secret/data/hub/aws
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-one-w-pool-acm-provision-edge-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
----
-# Source: acm/templates/provision/secrets-aws.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge-infra-creds
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: awsKeyId
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_access_key_id
-  - secretKey: awsAccessKey
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_secret_access_key
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-one-w-pool-acm-provision-edge-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        baseDomain: "blueprints.rhecoeng.com"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        aws_access_key_id: |-
-          {{ .awsKeyId | toString }}
-        aws_secret_access_key: |-
-          {{ .awsAccessKey | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-aws.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-spec:
-  dataFrom:
-  - extract:
-      # Expects entries called: aws_access_key_id and aws_secret_access_key
-      key: secret/data/hub/aws
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
----
-# Source: acm/templates/provision/secrets-aws.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: awsKeyId
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_access_key_id
-  - secretKey: awsAccessKey
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_secret_access_key
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        baseDomain: "blueprints.rhecoeng.com"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        aws_access_key_id: |-
-          {{ .awsKeyId | toString }}
-        aws_secret_access_key: |-
-          {{ .awsAccessKey | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-azure.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-creds
-spec:
-  data:
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: secret/data/hub/azureOsServicePrincipal
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        osServicePrincipal.json: |-
-          {{ .azureOsServicePrincipal | toString }}
----
-# Source: acm/templates/provision/secrets-azure.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-infra-creds
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: secret/data/hub/azureOsServicePrincipal
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        cloudName: AzurePublicCloud
-        osServicePrincipal.json: |-
-          {{ .azureOsServicePrincipal | toString }}
-        baseDomain: "blueprints.rhecoeng.com"
-        baseDomainResourceGroupName: "dojo-dns-zones"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-pull-secret
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-ssh-private-key
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-pull-secret
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-ssh-private-key
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge-pull-secret
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-one-w-pool-acm-provision-edge-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key
-  namespace: aws-cd-one-w-pool-acm-provision-edge
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-spec:
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key
-  namespace: aws-cd-two-wo-pool-acm-provision-on-deploy
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: cluster.open-cluster-management.io/v1
-kind: ManagedCluster
-metadata:
-  labels:
-    cluster.open-cluster-management.io/clusterset: acm-provision-edge
-    clusterGroup: region
-  name: aws-cd-one-w-pool-acm-provision-edge
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  hubAcceptsClient: true
----
-# Source: acm/templates/provision/clusterdeployment.yaml
-apiVersion: cluster.open-cluster-management.io/v1
-kind: ManagedCluster
-metadata:
-  labels:
-    cluster.open-cluster-management.io/clusterset: acm-provision-on-deploy
-    clusterGroup: acm-provision-on-deploy
-  name: aws-cd-two-wo-pool-acm-provision-on-deploy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  hubAcceptsClient: true
----
-# Source: acm/templates/provision/managedclusterset.yaml
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSet
-metadata:
-  annotations:
-    cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: acm-provision-edge
----
-# Source: acm/templates/provision/managedclusterset.yaml
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSet
-metadata:
-  annotations:
-    cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-on-deploy-broker
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: acm-provision-on-deploy
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-acm-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-acm-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-acm-edge-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-acm-provision-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-acm-provision-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-acm-provision-edge-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: hub-argo-ca-acm-provision-on-deploy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: hub-argo-ca-acm-provision-on-deploy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: hub-argo-ca-acm-provision-on-deploy-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-edge-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-provision-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-provision-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-provision-edge-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-provision-on-deploy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-provision-on-deploy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-provision-on-deploy-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement-argocd
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy-argocd
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-acm-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-acm-provision-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: hub-argo-ca-acm-provision-on-deploy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchLabels:
-      clusterGroup: acm-region
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-provision-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchLabels:
-      clusterGroup: region
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-provision-on-deploy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchLabels:
-      clusterGroup: acm-provision-on-deploy
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement-argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: golang-external-secrets
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-openshift-gitops-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: openshift-gitops
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-acm-edge-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-acm-edge-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: mypattern-acm-edge
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-acm-provision-edge-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-acm-provision-edge-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: mypattern-acm-provision-edge
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: hub-argo-ca-acm-provision-on-deploy-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: hub-argo-ca-acm-provision-on-deploy-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-hub-bundle
-                  namespace: mypattern-acm-provision-on-deploy
-                data:
-                  hub-kube-root-ca.crt: |
-                    {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
-                  hub-openshift-service-ca.crt: |
-                    {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-edge-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-edge-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-acm-edge
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      values: |
-                        extraParametersNested:
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: https://github.com/pattern-clone/mypattern
-                      - name: global.targetRevision
-                        value: main
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}'
-                      - name: global.localClusterName
-                        value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}'
-                      - name: global.clusterPlatform
-                        value: aws
-                      - name: global.multiSourceSupport
-                        value: 
-                      - name: global.multiSourceRepoUrl
-                        value: 
-                      - name: global.multiSourceTargetRevision
-                        value: 
-                      - name: global.privateRepo
-                        value: 
-                      - name: global.experimentalCapabilities
-                        value: 
-                      - name: clusterGroup.name
-                        value: acm-edge
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-acm-edge
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-provision-edge-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-provision-edge-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-acm-provision-edge
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      values: |
-                        extraParametersNested:
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-provision-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: https://github.com/pattern-clone/mypattern
-                      - name: global.targetRevision
-                        value: main
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}'
-                      - name: global.localClusterName
-                        value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}'
-                      - name: global.clusterPlatform
-                        value: aws
-                      - name: global.multiSourceSupport
-                        value: 
-                      - name: global.multiSourceRepoUrl
-                        value: 
-                      - name: global.multiSourceTargetRevision
-                        value: 
-                      - name: global.privateRepo
-                        value: 
-                      - name: global.experimentalCapabilities
-                        value: 
-                      - name: clusterGroup.name
-                        value: acm-provision-edge
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-acm-provision-edge
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-provision-on-deploy-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-provision-on-deploy-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-acm-provision-on-deploy
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      values: |
-                        extraParametersNested:
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-provision-on-deploy.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-on-deploy.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: https://github.com/pattern-clone/mypattern
-                      - name: global.targetRevision
-                        value: main
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}'
-                      - name: global.localClusterName
-                        value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}'
-                      - name: global.clusterPlatform
-                        value: aws
-                      - name: global.multiSourceSupport
-                        value: 
-                      - name: global.multiSourceRepoUrl
-                        value: 
-                      - name: global.multiSourceTargetRevision
-                        value: 
-                      - name: global.privateRepo
-                        value: 
-                      - name: global.experimentalCapabilities
-                        value: 
-                      - name: clusterGroup.name
-                        value: acm-provision-on-deploy
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-acm-provision-on-deploy
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.13
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: ConfigMap
-                apiVersion: v1
-                metadata:
-                  name: trusted-ca-bundle
-                  namespace: openshift-gitops
-                  labels:
-                    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-# This policy depends on openshift-gitops-policy and the reason is that we need to be
-# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
-# because the initcontainer references the trusted-ca-bundle and if it starts without the
-# configmap being there we risk running an argo instances that won't trust public CAs
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy-argocd
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  dependencies:
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: openshift-gitops-policy
-      namespace: open-cluster-management
-    - apiVersion: policy.open-cluster-management.io/v1
-      compliance: Compliant
-      kind: Policy
-      name: hub-argo-ca-openshift-gitops-policy
-      namespace: open-cluster-management
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config-argocd
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1beta1
-                kind: ArgoCD
-                metadata:
-                  name: openshift-gitops
-                  namespace: openshift-gitops
-                spec:
-                  applicationSet:
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 512Mi
-                    webhookServer:
-                      ingress:
-                        enabled: false
-                      route:
-                        enabled: false
-                  controller:
-                    processors: {}
-                    resources:
-                      limits:
-                        cpu: "2"
-                        memory: 2Gi
-                      requests:
-                        cpu: 250m
-                        memory: 1Gi
-                    sharding: {}
-                  grafana:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                    route:
-                      enabled: false
-                  ha:
-                    enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  initialSSHKnownHosts: {}
-                  monitoring:
-                    enabled: false
-                  notifications:
-                    enabled: false
-                  prometheus:
-                    enabled: false
-                    ingress:
-                      enabled: false
-                    route:
-                      enabled: false
-                  rbac:
-                    defaultPolicy: ""
-                    policy: |-
-                      g, system:cluster-admins, role:admin
-                      g, cluster-admins, role:admin
-                    scopes: '[groups]'
-                  redis:
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 250m
-                        memory: 128Mi
-                  repo:
-                    initContainers:
-                    - command:
-                      - bash
-                      - -c
-                      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
-                        || true
-                      image: registry.redhat.io/ubi9/ubi-minimal:latest
-                      name: fetch-ca
-                      resources: {}
-                      volumeMounts:
-                      - mountPath: /var/run/kube-root-ca
-                        name: kube-root-ca
-                      - mountPath: /var/run/trusted-ca
-                        name: trusted-ca-bundle
-                      - mountPath: /var/run/trusted-hub
-                        name: trusted-hub-bundle
-                      - mountPath: /tmp/ca-bundles
-                        name: ca-bundles
-                    resources:
-                      limits:
-                        cpu: "1"
-                        memory: 1Gi
-                      requests:
-                        cpu: 250m
-                        memory: 256Mi
-                    volumeMounts:
-                    - mountPath: /etc/pki/tls/certs
-                      name: ca-bundles
-                    volumes:
-                    - configMap:
-                        name: kube-root-ca.crt
-                      name: kube-root-ca
-                    - configMap:
-                        name: trusted-ca-bundle
-                        optional: true
-                      name: trusted-ca-bundle
-                    - configMap:
-                        name: trusted-hub-bundle
-                        optional: true
-                      name: trusted-hub-bundle
-                    - emptyDir: {}
-                      name: ca-bundles
-                  resourceExclusions: |-
-                    - apiGroups:
-                      - tekton.dev
-                      clusters:
-                      - '*'
-                      kinds:
-                      - TaskRun
-                      - PipelineRun
-                  server:
-                    autoscale:
-                      enabled: false
-                    grpc:
-                      ingress:
-                        enabled: false
-                    ingress:
-                      enabled: false
-                    resources:
-                      limits:
-                        cpu: 500m
-                        memory: 256Mi
-                      requests:
-                        cpu: 125m
-                        memory: 128Mi
-                    route:
-                      enabled: true
-                    service:
-                      type: ""
-                  sso:
-                    dex:
-                      openShiftOAuth: true
-                      resources:
-                        limits:
-                          cpu: 500m
-                          memory: 256Mi
-                        requests:
-                          cpu: 250m
-                          memory: 128Mi
-                    provider: dex
-                  tls:
-                    ca: {}
diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml
deleted file mode 100644
index be7946c6..00000000
--- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,968 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-line-dashboard
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-machine-sensor
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-messaging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-factory-ml-workspace
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-factory
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-factory
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-admin-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-factory
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-      - name: stormshift
-        path: charts/factory/manuela-stormshift
-        plugin:
-          name: helm-with-kustomize
-        project: factory
-      - name: odh
-        namespace: manuela-factory-ml-workspace
-        path: charts/datacenter/opendatahub
-        project: factory
-      argoCD:
-        configManagementPlugins:
-        - image: quay.io/hybridcloudpatterns/utility-container:latest
-          name: helm-with-kustomize
-          pluginArgs:
-          - --loglevel=debug
-          pluginConfig: |
-            apiVersion: argoproj.io/v1alpha1
-            kind: ConfigManagementPlugin
-            metadata:
-              name: helm-with-kustomize
-            spec:
-              preserveFileMode: true
-              init:
-                command: ["/bin/sh", "-c"]
-                args: ["helm dependency build"]
-              generate:
-                command: ["/bin/bash", "-c"]
-                args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-                  -f $(git rev-parse --show-toplevel)/values-global.yaml
-                  -f $(git rev-parse --show-toplevel)/values-factory.yaml
-                  --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-                  --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-                  --set global.namespace=$ARGOCD_APP_NAMESPACE
-                  --set global.pattern=mypattern
-                  --set global.clusterDomain=region.example.com
-                  --set global.hubClusterDomain=apps.hub.example.com
-                  --set global.localClusterDomain=apps.region.example.com
-                  --set clusterGroup.name=factory
-                  --post-renderer ./kustomize"]
-        initContainers: []
-        resourceExclusions: |
-          - apiGroups:
-            - tekton.dev
-            kinds:
-            - TaskRun
-            - PipelineRun
-        resourceHealthChecks:
-        - check: |
-            hs = {}
-            if obj.status ~= nil then
-              if obj.status.phase ~= nil then
-                if obj.status.phase == "Pending" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                elseif obj.status.phase == "Bound" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                end
-              end
-            end
-            hs.status = "Progressing"
-            hs.message = "Waiting for PVC"
-            return hs
-          kind: PersistentVolumeClaim
-        resourceTrackingMethod: label
-      imperative:
-        activeDeadlineSeconds: 3600
-        adminClusterRoleName: imperative-admin-cluster-role
-        adminServiceAccountCreate: true
-        adminServiceAccountName: imperative-admin-sa
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: false
-      managedClusterGroups: {}
-      name: factory
-      namespaces:
-      - manuela-stormshift-line-dashboard
-      - manuela-stormshift-machine-sensor
-      - manuela-stormshift-messaging
-      - manuela-factory-ml-workspace
-      nodes: []
-      operatorgroupExcludes:
-      - manuela-factory-ml-workspace
-      projects:
-      - factory
-      sharedValueFiles: []
-      subscriptions:
-      - channel: stable
-        name: opendatahub-operator
-        source: community-operators
-      - channel: stable
-        name: seldon-operator
-        namespace: manuela-stormshift-messaging
-        source: community-operators
-      - channel: stable
-        name: amq-streams
-        namespace: manuela-stormshift-messaging
-      - channel: 7.x
-        name: amq-broker-rhel8
-        namespace: manuela-stormshift-messaging
-      - channel: stable
-        name: red-hat-camel-k
-        namespace: manuela-stormshift-messaging
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      clusterPlatform: aws
-      clusterVersion: "4.12"
-      extraValueFiles: []
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: false
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      secretStore:
-        backend: vault
-      targetRevision: main
-    main:
-      clusterGroupName: hub
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-      multiSourceConfig:
-        enabled: true
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trusted-ca-bundle
-  namespace: imperative
-  annotations:
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: "argocd-cmp-helm-with-kustomize"
-  namespace: mypattern-factory
-data:
-  "plugin.yaml": | 
-    apiVersion: argoproj.io/v1alpha1
-    kind: ConfigManagementPlugin
-    metadata:
-      name: helm-with-kustomize
-    spec:
-      preserveFileMode: true
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-          -f $(git rev-parse --show-toplevel)/values-global.yaml
-          -f $(git rev-parse --show-toplevel)/values-factory.yaml
-          --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-          --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-          --set global.namespace=$ARGOCD_APP_NAMESPACE
-          --set global.pattern=mypattern
-          --set global.clusterDomain=region.example.com
-          --set global.hubClusterDomain=apps.hub.example.com
-          --set global.localClusterDomain=apps.region.example.com
-          --set clusterGroup.name=factory
-          --post-renderer ./kustomize"]
----
-# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: trusted-ca-bundle
-  namespace: mypattern-factory
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-admin-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-admin-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-admin-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-admin-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-factory-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: factory-gitops-argocd-application-controller
-    namespace: mypattern-factory
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: factory-gitops-argocd-server
-    namespace: mypattern-factory
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: factory-gitops-argocd-dex-server
-    namespace: mypattern-factory
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-factory
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: factory
-  namespace: mypattern-factory
-spec:
-  description: "Pattern factory"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: stormshift
-  namespace: mypattern-factory
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: mypattern-factory
-  project: factory
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/factory/manuela-stormshift
-    plugin: {
-  "name": "helm-with-kustomize"
-}
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-factory
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-factory-ml-workspace
-  project: factory
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-factory.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-factory.yaml"
-      - "/values-4.12-factory.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1beta1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: factory-gitops
-  namespace: mypattern-factory
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceHealthChecks:
-  - kind: PersistentVolumeClaim
-    check: |
-      hs = {}
-      if obj.status ~= nil then
-        if obj.status.phase ~= nil then
-          if obj.status.phase == "Pending" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          elseif obj.status.phase == "Bound" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          end
-        end
-      end
-      hs.status = "Progressing"
-      hs.message = "Waiting for PVC"
-      return hs
-
-  resourceTrackingMethod: label
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    initContainers:
-    - command:
-      - bash
-      - -c
-      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
-      image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-      name: fetch-ca
-      resources: {}
-      volumeMounts:
-      - mountPath: /var/run/kube-root-ca
-        name: kube-root-ca
-      - mountPath: /var/run/trusted-ca
-        name: trusted-ca-bundle
-      - mountPath: /var/run/trusted-hub
-        name: trusted-hub-bundle
-      - mountPath: /tmp/ca-bundles
-        name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    volumeMounts:
-    - mountPath: /etc/pki/tls/certs
-      name: ca-bundles
-    volumes:
-    - configMap:
-        name: kube-root-ca.crt
-      name: kube-root-ca
-    - configMap:
-        name: trusted-ca-bundle
-        optional: true
-      name: trusted-ca-bundle
-    - configMap:
-        name: trusted-hub-bundle
-        optional: true
-      name: trusted-hub-bundle
-    - emptyDir: {}
-      name: ca-bundles
-    sidecarContainers:
-      - name: helm-with-kustomize
-        command: [/var/run/argocd/argocd-cmp-server]
-        args: [
-  "--loglevel=debug"
-]
-        image: quay.io/hybridcloudpatterns/utility-container:latest
-        imagePullPolicy: Always
-        securityContext:
-          runAsNonRoot: true
-        volumeMounts:
-          - mountPath: /var/run/argocd
-            name: var-files
-          - mountPath: /home/argocd/cmp-server/plugins
-            name: plugins
-          - mountPath: /tmp
-            name: cmp-tmp
-          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
-            subPath: plugin.yaml
-            name: helm-with-kustomize
-    volumes:
-      - emptyDir: {}
-        name: cmp-tmp
-      - configMap:
-          name: "argocd-cmp-helm-with-kustomize"
-        name: helm-with-kustomize
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions:  |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: factory-gitops-link
-  namespace: mypattern-factory
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://factory-gitops-server-mypattern-factory.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Factory ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-line-dashboard-operator-group
-  namespace: manuela-stormshift-line-dashboard
-spec:
-  targetNamespaces:
-  - manuela-stormshift-line-dashboard
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-machine-sensor-operator-group
-  namespace: manuela-stormshift-machine-sensor
-spec:
-  targetNamespaces:
-  - manuela-stormshift-machine-sensor
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-messaging-operator-group
-  namespace: manuela-stormshift-messaging
-spec:
-  targetNamespaces:
-  - manuela-stormshift-messaging
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-stormshift-messaging
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-stormshift-messaging
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-broker-rhel8
-  namespace: manuela-stormshift-messaging
-spec:
-  name: amq-broker-rhel8
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: 7.x
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-stormshift-messaging
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 7e2fe626..00000000
--- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,1899 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: golang-external-secrets
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: external-secrets
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: open-cluster-management
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-ml-workspace
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-tst-all
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-ci
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-data-lake
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: staging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: vault
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-datacenter
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-datacenter
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-admin-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-datacenter
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        acm:
-          ignoreDifferences:
-          - group: internal.open-cluster-management.io
-            jsonPointers:
-            - /spec/loggingCA
-            kind: ManagedClusterInfo
-          name: acm
-          namespace: open-cluster-management
-          path: common/acm
-          project: datacenter
-        odh:
-          name: odh
-          namespace: manuela-ml-workspace
-          path: charts/datacenter/opendatahub
-          project: datacenter
-        pipelines:
-          name: pipelines
-          namespace: manuela-ci
-          path: charts/datacenter/pipelines
-          project: datacenter
-        production-data-lake:
-          ignoreDifferences:
-          - group: apps
-            jsonPointers:
-            - /spec/replicas
-            kind: Deployment
-          - group: route.openshift.io
-            jsonPointers:
-            - /status
-            kind: Route
-          - group: image.openshift.io
-            jsonPointers:
-            - /spec/tags
-            kind: ImageStream
-          - group: apps.openshift.io
-            jsonPointers:
-            - /spec/template/spec/containers/0/image
-            kind: DeploymentConfig
-          name: production-data-lake
-          namespace: manuela-data-lake
-          path: charts/datacenter/manuela-data-lake
-          project: production-datalake
-        secrets:
-          name: external-secrets
-          namespace: external-secrets
-          path: charts/datacenter/external-secrets
-          project: golang-external-secrets
-        secrets-operator:
-          name: golang-external-secrets
-          namespace: golang-external-secrets
-          path: common/golang-external-secrets
-          project: golang-external-secrets
-        test:
-          name: manuela-test
-          namespace: manuela-tst-all
-          path: charts/datacenter/manuela-tst
-          plugin:
-            name: helm-with-kustomize
-          project: datacenter
-        vault:
-          chart: vault
-          name: vault
-          namespace: vault
-          overrides:
-          - name: global.openshift
-            value: "true"
-          - name: injector.enabled
-            value: "false"
-          - name: ui.enabled
-            value: "true"
-          - name: ui.serviceType
-            value: LoadBalancer
-          - name: server.route.enabled
-            value: "true"
-          - name: server.route.host
-            value: null
-          - name: server.route.tls.termination
-            value: edge
-          - name: server.image.repository
-            value: registry.connect.redhat.com/hashicorp/vault
-          - name: server.image.tag
-            value: 1.10.3-ubi
-          project: datacenter
-          repoURL: https://helm.releases.hashicorp.com
-          targetRevision: v0.20.1
-      argoCD:
-        configManagementPlugins:
-        - image: quay.io/hybridcloudpatterns/utility-container:latest
-          name: helm-with-kustomize
-          pluginArgs:
-          - --loglevel=debug
-          pluginConfig: |
-            apiVersion: argoproj.io/v1alpha1
-            kind: ConfigManagementPlugin
-            metadata:
-              name: helm-with-kustomize
-            spec:
-              preserveFileMode: true
-              init:
-                command: ["/bin/sh", "-c"]
-                args: ["helm dependency build"]
-              generate:
-                command: ["/bin/bash", "-c"]
-                args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-                  -f $(git rev-parse --show-toplevel)/values-global.yaml
-                  -f $(git rev-parse --show-toplevel)/values-datacenter.yaml
-                  --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-                  --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-                  --set global.namespace=$ARGOCD_APP_NAMESPACE
-                  --set global.pattern=mypattern
-                  --set global.clusterDomain=region.example.com
-                  --set global.hubClusterDomain=apps.hub.example.com
-                  --set global.localClusterDomain=apps.region.example.com
-                  --set clusterGroup.name=datacenter
-                  --post-renderer ./kustomize"]
-        initContainers: []
-        resourceExclusions: |
-          - apiGroups:
-            - tekton.dev
-            kinds:
-            - TaskRun
-            - PipelineRun
-        resourceHealthChecks:
-        - check: |
-            hs = {}
-            if obj.status ~= nil then
-              if obj.status.phase ~= nil then
-                if obj.status.phase == "Pending" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                elseif obj.status.phase == "Bound" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                end
-              end
-            end
-            hs.status = "Progressing"
-            hs.message = "Waiting for PVC"
-            return hs
-          kind: PersistentVolumeClaim
-        resourceTrackingMethod: label
-      imperative:
-        activeDeadlineSeconds: 3600
-        adminClusterRoleName: imperative-admin-cluster-role
-        adminServiceAccountCreate: true
-        adminServiceAccountName: imperative-admin-sa
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-        factory:
-          clusterSelector:
-            matchExpressions:
-            - key: vendor
-              operator: In
-              values:
-              - OpenShift
-            matchLabels:
-              clusterGroup: factory
-          helmOverrides:
-          - name: clusterGroup.isHubCluster
-            value: "false"
-          name: factory
-      name: datacenter
-      namespaces:
-      - golang-external-secrets
-      - external-secrets
-      - open-cluster-management
-      - manuela-ml-workspace
-      - manuela-tst-all
-      - manuela-ci
-      - manuela-data-lake
-      - staging
-      - vault
-      nodes: []
-      operatorgroupExcludes:
-      - manuela-ml-workspace
-      projects:
-      - datacenter
-      - production-datalake
-      - golang-external-secrets
-      - vault
-      sharedValueFiles: []
-      subscriptions:
-        acm:
-          channel: release-2.6
-          name: advanced-cluster-management
-          namespace: open-cluster-management
-        amqbroker-prod:
-          channel: 7.x
-          name: amq-broker-rhel8
-          namespace: manuela-tst-all
-        amqstreams-prod-dev:
-          channel: stable
-          name: amq-streams
-          namespaces:
-          - manuela-data-lake
-          - manuela-tst-all
-        camelk-prod-dev:
-          channel: stable
-          name: red-hat-camel-k
-          namespaces:
-          - manuela-data-lake
-          - manuela-tst-all
-        odh:
-          channel: stable
-          name: opendatahub-operator
-          source: community-operators
-        pipelines:
-          channel: latest
-          name: openshift-pipelines-operator-rh
-          source: redhat-operators
-        seldon-prod-dev:
-          channel: stable
-          name: seldon-operator
-          namespaces:
-          - manuela-ml-workspace
-          - manuela-tst-all
-          source: community-operators
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      clusterPlatform: aws
-      clusterVersion: "4.12"
-      extraValueFiles: []
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: false
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      secretStore:
-        backend: vault
-      targetRevision: main
-    main:
-      clusterGroupName: hub
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-      multiSourceConfig:
-        enabled: true
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trusted-ca-bundle
-  namespace: imperative
-  annotations:
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: "argocd-cmp-helm-with-kustomize"
-  namespace: mypattern-datacenter
-data:
-  "plugin.yaml": | 
-    apiVersion: argoproj.io/v1alpha1
-    kind: ConfigManagementPlugin
-    metadata:
-      name: helm-with-kustomize
-    spec:
-      preserveFileMode: true
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-          -f $(git rev-parse --show-toplevel)/values-global.yaml
-          -f $(git rev-parse --show-toplevel)/values-datacenter.yaml
-          --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-          --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-          --set global.namespace=$ARGOCD_APP_NAMESPACE
-          --set global.pattern=mypattern
-          --set global.clusterDomain=region.example.com
-          --set global.hubClusterDomain=apps.hub.example.com
-          --set global.localClusterDomain=apps.region.example.com
-          --set clusterGroup.name=datacenter
-          --post-renderer ./kustomize"]
----
-# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: trusted-ca-bundle
-  namespace: mypattern-datacenter
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-admin-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-admin-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-admin-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-admin-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-datacenter-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: datacenter-gitops-argocd-application-controller
-    namespace: mypattern-datacenter
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: datacenter-gitops-argocd-server
-    namespace: mypattern-datacenter
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: datacenter-gitops-argocd-dex-server
-    namespace: mypattern-datacenter
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-datacenter
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-datacenter
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: datacenter
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern datacenter"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: production-datalake
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern production-datalake"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern golang-external-secrets"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: vault
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern vault"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: acm
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: open-cluster-management
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/acm
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  ignoreDifferences: [
-  {
-    "group": "internal.open-cluster-management.io",
-    "jsonPointers": [
-      "/spec/loggingCA"
-    ],
-    "kind": "ManagedClusterInfo"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-ml-workspace
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: pipelines
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-ci
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/pipelines
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: production-data-lake
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-data-lake
-  project: production-datalake
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/manuela-data-lake
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  ignoreDifferences: [
-  {
-    "group": "apps",
-    "jsonPointers": [
-      "/spec/replicas"
-    ],
-    "kind": "Deployment"
-  },
-  {
-    "group": "route.openshift.io",
-    "jsonPointers": [
-      "/status"
-    ],
-    "kind": "Route"
-  },
-  {
-    "group": "image.openshift.io",
-    "jsonPointers": [
-      "/spec/tags"
-    ],
-    "kind": "ImageStream"
-  },
-  {
-    "group": "apps.openshift.io",
-    "jsonPointers": [
-      "/spec/template/spec/containers/0/image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-secrets
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: external-secrets
-  project: golang-external-secrets
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: golang-external-secrets
-  project: golang-external-secrets
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/golang-external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: manuela-test
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-tst-all
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/manuela-tst
-    plugin: {
-  "name": "helm-with-kustomize"
-}
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: mypattern-datacenter
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: vault
-  project: datacenter
-  source:
-    repoURL: https://helm.releases.hashicorp.com
-    targetRevision: v0.20.1
-    chart: vault
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-datacenter.yaml"
-      - "/values-4.12-datacenter.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-        - name: global.openshift
-          value: "true"
-        - name: injector.enabled
-          value: "false"
-        - name: ui.enabled
-          value: "true"
-        - name: ui.serviceType
-          value: "LoadBalancer"
-        - name: server.route.enabled
-          value: "true"
-        - name: server.route.host
-          value: 
-        - name: server.route.tls.termination
-          value: "edge"
-        - name: server.image.repository
-          value: "registry.connect.redhat.com/hashicorp/vault"
-        - name: server.image.tag
-          value: "1.10.3-ubi"
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1beta1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: datacenter-gitops
-  namespace: mypattern-datacenter
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceHealthChecks:
-  - kind: PersistentVolumeClaim
-    check: |
-      hs = {}
-      if obj.status ~= nil then
-        if obj.status.phase ~= nil then
-          if obj.status.phase == "Pending" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          elseif obj.status.phase == "Bound" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          end
-        end
-      end
-      hs.status = "Progressing"
-      hs.message = "Waiting for PVC"
-      return hs
-
-  resourceTrackingMethod: label
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    initContainers:
-    - command:
-      - bash
-      - -c
-      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
-      image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-      name: fetch-ca
-      resources: {}
-      volumeMounts:
-      - mountPath: /var/run/kube-root-ca
-        name: kube-root-ca
-      - mountPath: /var/run/trusted-ca
-        name: trusted-ca-bundle
-      - mountPath: /var/run/trusted-hub
-        name: trusted-hub-bundle
-      - mountPath: /tmp/ca-bundles
-        name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    volumeMounts:
-    - mountPath: /etc/pki/tls/certs
-      name: ca-bundles
-    volumes:
-    - configMap:
-        name: kube-root-ca.crt
-      name: kube-root-ca
-    - configMap:
-        name: trusted-ca-bundle
-        optional: true
-      name: trusted-ca-bundle
-    - configMap:
-        name: trusted-hub-bundle
-        optional: true
-      name: trusted-hub-bundle
-    - emptyDir: {}
-      name: ca-bundles
-    sidecarContainers:
-      - name: helm-with-kustomize
-        command: [/var/run/argocd/argocd-cmp-server]
-        args: [
-  "--loglevel=debug"
-]
-        image: quay.io/hybridcloudpatterns/utility-container:latest
-        imagePullPolicy: Always
-        securityContext:
-          runAsNonRoot: true
-        volumeMounts:
-          - mountPath: /var/run/argocd
-            name: var-files
-          - mountPath: /home/argocd/cmp-server/plugins
-            name: plugins
-          - mountPath: /tmp
-            name: cmp-tmp
-          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
-            subPath: plugin.yaml
-            name: helm-with-kustomize
-    volumes:
-      - emptyDir: {}
-        name: cmp-tmp
-      - configMap:
-          name: "argocd-cmp-helm-with-kustomize"
-        name: helm-with-kustomize
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions:  |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: datacenter-gitops-link
-  namespace: mypattern-datacenter
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://datacenter-gitops-server-mypattern-datacenter.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Datacenter ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: golang-external-secrets-operator-group
-  namespace: golang-external-secrets
-spec:
-  targetNamespaces:
-  - golang-external-secrets
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: external-secrets-operator-group
-  namespace: external-secrets
-spec:
-  targetNamespaces:
-  - external-secrets
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: open-cluster-management-operator-group
-  namespace: open-cluster-management
-spec:
-  targetNamespaces:
-  - open-cluster-management
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-tst-all-operator-group
-  namespace: manuela-tst-all
-spec:
-  targetNamespaces:
-  - manuela-tst-all
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-ci-operator-group
-  namespace: manuela-ci
-spec:
-  targetNamespaces:
-  - manuela-ci
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-data-lake-operator-group
-  namespace: manuela-data-lake
-spec:
-  targetNamespaces:
-  - manuela-data-lake
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: staging-operator-group
-  namespace: staging
-spec:
-  targetNamespaces:
-  - staging
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: vault-operator-group
-  namespace: vault
-spec:
-  targetNamespaces:
-  - vault
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: advanced-cluster-management
-  namespace: open-cluster-management
-spec:
-  name: advanced-cluster-management
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: release-2.6
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-broker-rhel8
-  namespace: manuela-tst-all
-spec:
-  name: amq-broker-rhel8
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: 7.x
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-data-lake
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-tst-all
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-data-lake
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-tst-all
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-pipelines-operator-rh
-  namespace: openshift-operators
-spec:
-  name: openshift-pipelines-operator-rh
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: latest
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-ml-workspace
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-tst-all
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index aeb091a9..00000000
--- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,2039 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: open-cluster-management
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: openshift-serverless
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: opendatahub
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: openshift-storage
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: xraylab-1
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: knative-serving
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: staging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: vault
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: golang-external-secrets
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-hub
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-hub
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-admin-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-hub
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        golang-external-secrets:
-          name: golang-external-secrets
-          namespace: golang-external-secrets
-          path: common/golang-external-secrets
-          project: hub
-        kafdrop:
-          name: kafdrop
-          namespace: xraylab-1
-          path: charts/all/kafdrop
-          project: medical-diagnosis
-        kafka:
-          name: kafka
-          namespace: xraylab-1
-          path: charts/all/kafka
-          project: medical-diagnosis
-        opendatahub:
-          name: odh
-          namespace: opendatahub
-          path: charts/all/opendatahub
-          project: medical-diagnosis
-        openshift-data-foundations:
-          name: odf
-          namespace: openshift-storage
-          path: charts/all/openshift-data-foundations
-          project: medical-diagnosis
-        openshift-serverless:
-          name: serverless
-          namespace: xraylab-1
-          path: charts/all/openshift-serverless
-          project: medical-diagnosis
-        service-account:
-          name: xraylab-service-account
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/service-account
-          project: medical-diagnosis
-        vault:
-          chart: vault
-          name: vault
-          namespace: vault
-          overrides:
-          - name: global.openshift
-            value: "true"
-          - name: injector.enabled
-            value: "false"
-          - name: ui.enabled
-            value: "true"
-          - name: ui.serviceType
-            value: LoadBalancer
-          - name: server.route.enabled
-            value: "true"
-          - name: server.route.host
-            value: null
-          - name: server.route.tls.termination
-            value: edge
-          - name: server.image.repository
-            value: registry.connect.redhat.com/hashicorp/vault
-          - name: server.image.tag
-            value: 1.10.3-ubi
-          project: hub
-          repoURL: https://helm.releases.hashicorp.com
-          targetRevision: v0.20.1
-        xraylab-database:
-          name: xraylab-database
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/database
-          project: medical-diagnosis
-        xraylab-grafana-dashboards:
-          name: xraylab-grafana-dashboards
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/grafana
-          project: medical-diagnosis
-        xraylab-image-generator:
-          ignoreDifferences:
-          - group: apps.openshift.io
-            jqPathExpressions:
-            - .spec.template.spec.containers[].image
-            kind: DeploymentConfig
-          name: xraylab-image-generator
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/image-generator
-          project: medical-diagnosis
-        xraylab-image-server:
-          ignoreDifferences:
-          - group: apps.openshift.io
-            jqPathExpressions:
-            - .spec.template.spec.containers[].image
-            kind: DeploymentConfig
-          name: xraylab-image-server
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/image-server
-          project: medical-diagnosis
-        xraylab-init:
-          name: xraylab-init
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/xray-init
-          project: medical-diagnosis
-      argoCD:
-        configManagementPlugins: []
-        initContainers: []
-        resourceExclusions: |
-          - apiGroups:
-            - tekton.dev
-            kinds:
-            - TaskRun
-            - PipelineRun
-        resourceHealthChecks:
-        - check: |
-            hs = {}
-            if obj.status ~= nil then
-              if obj.status.phase ~= nil then
-                if obj.status.phase == "Pending" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                elseif obj.status.phase == "Bound" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                end
-              end
-            end
-            hs.status = "Progressing"
-            hs.message = "Waiting for PVC"
-            return hs
-          kind: PersistentVolumeClaim
-        resourceTrackingMethod: label
-      imperative:
-        activeDeadlineSeconds: 3600
-        adminClusterRoleName: imperative-admin-cluster-role
-        adminServiceAccountCreate: true
-        adminServiceAccountName: imperative-admin-sa
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-          timeout: 234
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-        region-one:
-          clusterSelector:
-            matchLabels:
-              clusterGroup: region-one
-          helmOverrides:
-          - name: clusterGroup.isHubCluster
-            value: false
-          name: region-one
-      name: hub
-      namespaces:
-      - open-cluster-management
-      - openshift-serverless
-      - opendatahub
-      - openshift-storage
-      - xraylab-1
-      - knative-serving
-      - staging
-      - vault
-      - golang-external-secrets
-      nodes: []
-      projects:
-      - hub
-      - medical-diagnosis
-      sharedValueFiles: []
-      subscriptions:
-        amq-streams:
-          channel: stable
-          name: amq-streams
-          namespace: xraylab-1
-        grafana:
-          channel: v4
-          name: grafana-operator
-          namespace: xraylab-1
-          source: community-operators
-        odf:
-          channel: stable-4.11
-          name: odf-operator
-          namespace: openshift-storage
-        opendatahub:
-          name: opendatahub-operator
-          source: community-operators
-        severless:
-          channel: stable
-          name: serverless-operator
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      clusterPlatform: aws
-      clusterVersion: "4.12"
-      extraValueFiles: []
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: false
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      secretStore:
-        backend: vault
-      targetRevision: main
-    main:
-      clusterGroupName: hub
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-      multiSourceConfig:
-        enabled: true
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trusted-ca-bundle
-  namespace: imperative
-  annotations:
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: trusted-ca-bundle
-  namespace: mypattern-hub
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-admin-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-admin-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-admin-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-admin-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-hub-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: hub-gitops-argocd-application-controller
-    namespace: mypattern-hub
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: hub-gitops-argocd-server
-    namespace: mypattern-hub
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: hub-gitops-argocd-dex-server
-    namespace: mypattern-hub
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "234"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-hub
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-hub
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: hub
-  namespace: mypattern-hub
-spec:
-  description: "Pattern hub"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: medical-diagnosis
-  namespace: mypattern-hub
-spec:
-  description: "Pattern medical-diagnosis"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: golang-external-secrets
-  project: hub
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/golang-external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kafdrop
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/kafdrop
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kafka
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/kafka
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: opendatahub
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odf
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: openshift-storage
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/openshift-data-foundations
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: serverless
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/openshift-serverless
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-service-account
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/service-account
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: vault
-  project: hub
-  source:
-    repoURL: https://helm.releases.hashicorp.com
-    targetRevision: v0.20.1
-    chart: vault
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-        - name: global.openshift
-          value: "true"
-        - name: injector.enabled
-          value: "false"
-        - name: ui.enabled
-          value: "true"
-        - name: ui.serviceType
-          value: "LoadBalancer"
-        - name: server.route.enabled
-          value: "true"
-        - name: server.route.host
-          value: 
-        - name: server.route.tls.termination
-          value: "edge"
-        - name: server.image.repository
-          value: "registry.connect.redhat.com/hashicorp/vault"
-        - name: server.image.tag
-          value: "1.10.3-ubi"
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-database
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/database
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-grafana-dashboards
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/grafana
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-image-generator
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/image-generator
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  ignoreDifferences: [
-  {
-    "group": "apps.openshift.io",
-    "jqPathExpressions": [
-      ".spec.template.spec.containers[].image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-image-server
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/image-server
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  ignoreDifferences: [
-  {
-    "group": "apps.openshift.io",
-    "jqPathExpressions": [
-      ".spec.template.spec.containers[].image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-init
-  namespace: mypattern-hub
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/xray-init
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-hub.yaml"
-      - "/values-4.12-hub.yaml" 
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1beta1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: hub-gitops
-  namespace: mypattern-hub
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceHealthChecks:
-  - kind: PersistentVolumeClaim
-    check: |
-      hs = {}
-      if obj.status ~= nil then
-        if obj.status.phase ~= nil then
-          if obj.status.phase == "Pending" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          elseif obj.status.phase == "Bound" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          end
-        end
-      end
-      hs.status = "Progressing"
-      hs.message = "Waiting for PVC"
-      return hs
-
-  resourceTrackingMethod: label
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    initContainers:
-    - command:
-      - bash
-      - -c
-      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
-      image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-      name: fetch-ca
-      resources: {}
-      volumeMounts:
-      - mountPath: /var/run/kube-root-ca
-        name: kube-root-ca
-      - mountPath: /var/run/trusted-ca
-        name: trusted-ca-bundle
-      - mountPath: /var/run/trusted-hub
-        name: trusted-hub-bundle
-      - mountPath: /tmp/ca-bundles
-        name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    volumeMounts:
-    - mountPath: /etc/pki/tls/certs
-      name: ca-bundles
-    volumes:
-    - configMap:
-        name: kube-root-ca.crt
-      name: kube-root-ca
-    - configMap:
-        name: trusted-ca-bundle
-        optional: true
-      name: trusted-ca-bundle
-    - configMap:
-        name: trusted-hub-bundle
-        optional: true
-      name: trusted-hub-bundle
-    - emptyDir: {}
-      name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions:  |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: hub-gitops-link
-  namespace: mypattern-hub
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://hub-gitops-server-mypattern-hub.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Hub ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: open-cluster-management-operator-group
-  namespace: open-cluster-management
-spec:
-  targetNamespaces:
-  - open-cluster-management
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: openshift-serverless-operator-group
-  namespace: openshift-serverless
-spec:
-  targetNamespaces:
-  - openshift-serverless
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: opendatahub-operator-group
-  namespace: opendatahub
-spec:
-  targetNamespaces:
-  - opendatahub
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: openshift-storage-operator-group
-  namespace: openshift-storage
-spec:
-  targetNamespaces:
-  - openshift-storage
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: xraylab-1-operator-group
-  namespace: xraylab-1
-spec:
-  targetNamespaces:
-  - xraylab-1
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: knative-serving-operator-group
-  namespace: knative-serving
-spec:
-  targetNamespaces:
-  - knative-serving
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: staging-operator-group
-  namespace: staging
-spec:
-  targetNamespaces:
-  - staging
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: vault-operator-group
-  namespace: vault
-spec:
-  targetNamespaces:
-  - vault
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: golang-external-secrets-operator-group
-  namespace: golang-external-secrets
-spec:
-  targetNamespaces:
-  - golang-external-secrets
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: xraylab-1
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: grafana-operator
-  namespace: xraylab-1
-spec:
-  name: grafana-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: v4
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: odf-operator
-  namespace: openshift-storage
-spec:
-  name: odf-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable-4.11
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  installPlanApproval: Automatic
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: serverless-operator
-  namespace: openshift-operators
-spec:
-  name: serverless-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml
deleted file mode 100644
index 7a9f94b2..00000000
--- a/tests/common-clustergroup-naked.expected.yaml
+++ /dev/null
@@ -1,588 +0,0 @@
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: common-example
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: common-example
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: common-example
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-admin-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-example
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications: {}
-      argoCD:
-        configManagementPlugins: []
-        initContainers: []
-        resourceExclusions: |
-          - apiGroups:
-            - tekton.dev
-            kinds:
-            - TaskRun
-            - PipelineRun
-        resourceHealthChecks:
-        - check: |
-            hs = {}
-            if obj.status ~= nil then
-              if obj.status.phase ~= nil then
-                if obj.status.phase == "Pending" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                elseif obj.status.phase == "Bound" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                end
-              end
-            end
-            hs.status = "Progressing"
-            hs.message = "Waiting for PVC"
-            return hs
-          kind: PersistentVolumeClaim
-        resourceTrackingMethod: label
-      imperative:
-        activeDeadlineSeconds: 3600
-        adminClusterRoleName: imperative-admin-cluster-role
-        adminServiceAccountCreate: true
-        adminServiceAccountName: imperative-admin-sa
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs: []
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups: {}
-      name: example
-      namespaces: []
-      nodes: []
-      projects: []
-      sharedValueFiles: []
-      subscriptions: {}
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      extraValueFiles: []
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: true
-      pattern: common
-      secretStore:
-        backend: vault
-      targetRevision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trusted-ca-bundle
-  namespace: imperative
-  annotations:
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: trusted-ca-bundle
-  namespace: common-example
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-admin-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-admin-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-admin-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-admin-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-example-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: example-gitops-argocd-application-controller
-    namespace: common-example
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: example-gitops-argocd-server
-    namespace: common-example
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: example-gitops-argocd-dex-server
-    namespace: common-example
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo  | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo  | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-example
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1beta1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: example-gitops
-  namespace: common-example
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceHealthChecks:
-  - kind: PersistentVolumeClaim
-    check: |
-      hs = {}
-      if obj.status ~= nil then
-        if obj.status.phase ~= nil then
-          if obj.status.phase == "Pending" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          elseif obj.status.phase == "Bound" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          end
-        end
-      end
-      hs.status = "Progressing"
-      hs.message = "Waiting for PVC"
-      return hs
-
-  resourceTrackingMethod: label
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    initContainers:
-    - command:
-      - bash
-      - -c
-      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
-      image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-      name: fetch-ca
-      resources: {}
-      volumeMounts:
-      - mountPath: /var/run/kube-root-ca
-        name: kube-root-ca
-      - mountPath: /var/run/trusted-ca
-        name: trusted-ca-bundle
-      - mountPath: /var/run/trusted-hub
-        name: trusted-hub-bundle
-      - mountPath: /tmp/ca-bundles
-        name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    volumeMounts:
-    - mountPath: /etc/pki/tls/certs
-      name: ca-bundles
-    volumes:
-    - configMap:
-        name: kube-root-ca.crt
-      name: kube-root-ca
-    - configMap:
-        name: trusted-ca-bundle
-        optional: true
-      name: trusted-ca-bundle
-    - configMap:
-        name: trusted-hub-bundle
-        optional: true
-      name: trusted-hub-bundle
-    - emptyDir: {}
-      name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions:  |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: example-gitops-link
-  namespace: common-example
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://example-gitops-server-common-example.'
-  location: ApplicationMenu
-  text: 'Example ArgoCD'
diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml
deleted file mode 100644
index 7ba2ca36..00000000
--- a/tests/common-clustergroup-normal.expected.yaml
+++ /dev/null
@@ -1,1487 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: open-cluster-management
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-    kubernetes.io/os: "linux"
-    openshift.io/node-selector: ""
-  annotations:
-    openshift.io/cluster-monitoring: "true"
-    owner: "namespace owner"
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: application-ci
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: exclude-targetns
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: include-ci
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: exclude-og
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: totally-exclude-og
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: include-default-og
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-example
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-example
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-admin-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-example
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        acm:
-          ignoreDifferences:
-          - group: internal.open-cluster-management.io
-            jsonPointers:
-            - /spec/loggingCA
-            kind: ManagedClusterInfo
-          name: acm
-          namespace: open-cluster-management
-          path: common/acm
-          project: datacenter
-        pipe:
-          extraValueFiles:
-          - /values/4.12/aws.yaml
-          name: pipelines
-          namespace: application-ci
-          path: charts/datacenter/pipelines
-          project: datacenter
-      argoCD:
-        configManagementPlugins: []
-        initContainers: []
-        resourceExclusions: |
-          - apiGroups:
-            - tekton.dev
-            kinds:
-            - TaskRun
-            - PipelineRun
-        resourceHealthChecks:
-        - check: |
-            hs = {}
-            if obj.status ~= nil then
-              if obj.status.phase ~= nil then
-                if obj.status.phase == "Pending" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                elseif obj.status.phase == "Bound" then
-                  hs.status = "Healthy"
-                  hs.message = obj.status.phase
-                  return hs
-                end
-              end
-            end
-            hs.status = "Progressing"
-            hs.message = "Waiting for PVC"
-            return hs
-          kind: PersistentVolumeClaim
-        resourceTrackingMethod: label
-      imperative:
-        activeDeadlineSeconds: 3600
-        adminClusterRoleName: imperative-admin-cluster-role
-        adminServiceAccountCreate: true
-        adminServiceAccountName: imperative-admin-sa
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-          timeout: 234
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-      - acmlabels:
-        - name: clusterGroup
-          value: acm-region
-        helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        name: acm-edge
-        targetRevision: main
-      - acmlabels:
-        - name: clusterGroup
-          value: region
-        clusterDeployments:
-          myFirstCluster:
-            baseDomain: blueprints.rhecoeng.com
-            name: aws-cd-one-w-pool
-            openshiftVersion: 4.10.18
-            platform:
-              aws:
-                region: ap-southeast-1
-        clusterPools:
-          exampleAWSPool:
-            baseDomain: blueprints.rhecoeng.com
-            controlPlane:
-              count: 1
-              platform:
-                aws:
-                  type: m5.xlarge
-            name: aws-ap
-            openshiftVersion: 4.10.18
-            platform:
-              aws:
-                region: ap-southeast-2
-            size: 3
-            workers:
-              count: 0
-          exampleAzurePool:
-            baseDomain: blueprints.rhecoeng.com
-            clusters:
-            - Two
-            - three
-            name: azure-us
-            openshiftVersion: 4.10.18
-            platform:
-              azure:
-                baseDomainResourceGroupName: dojo-dns-zones
-                region: eastus
-        helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        name: acm-provision-edge
-        targetRevision: main
-      - clusterDeployments:
-          mySecondCluster:
-            baseDomain: blueprints.rhecoeng.com
-            name: aws-cd-two-wo-pool
-            openshiftVersion: 4.10.18
-            platform:
-              aws:
-                region: ap-southeast-3
-        name: acm-provision-on-deploy
-      - helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        hostedArgoSites:
-        - domain: perth1.beekhof.net
-          name: perth
-        - domain: syd.beekhof.net
-          name: sydney
-        name: argo-edge
-      name: example
-      namespaces:
-      - open-cluster-management:
-          annotations:
-            openshift.io/cluster-monitoring: "true"
-            owner: namespace owner
-          labels:
-            kubernetes.io/os: linux
-            openshift.io/node-selector: ""
-      - application-ci:
-          operatorGroup: true
-          targetNamespaces:
-          - application-ci
-          - other-namespace
-      - exclude-targetns:
-          operatorGroup: true
-          targetNamespaces: null
-      - include-ci
-      - exclude-og
-      - totally-exclude-og:
-          operatorGroup: false
-      - include-default-og:
-          operatorGroup: true
-      nodes:
-      - m-m00.cluster.example.tld:
-          labels:
-            cluster.ocs.openshift.io/openshift-storage: ""
-      - m-m01.cluster.example.tld:
-          labels:
-            cluster.ocs.openshift.io/openshift-storage: ""
-      - m-m02.cluster.example.tld:
-          labels:
-            cluster.ocs.openshift.io/openshift-storage: ""
-      operatorgroupExcludes:
-      - exclude-og
-      projects:
-      - datacenter
-      scheduler:
-        mastersSchedulable: true
-      sharedValueFiles:
-      - /values/aws.yaml
-      - /values/4.12.yaml
-      subscriptions:
-        acm:
-          channel: release-2.4
-          csv: advanced-cluster-management.v2.4.1
-          name: advanced-cluster-management
-          namespace: open-cluster-management
-        odh:
-          csv: opendatahub-operator.v1.1.0
-          disabled: true
-          name: opendatahub-operator
-          source: community-operators
-        pipelines:
-          csv: redhat-openshift-pipelines.v1.5.2
-          name: openshift-pipelines-operator-rh
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      clusterPlatform: aws
-      clusterVersion: "4.12"
-      extraValueFiles: []
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      multiClusterTarget: all
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: false
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      secretStore:
-        backend: vault
-      targetRevision: main
-    main:
-      clusterGroupName: hub
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-      multiSourceConfig:
-        enabled: true
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trusted-ca-bundle
-  namespace: imperative
-  annotations:
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: trusted-ca-bundle
-  namespace: mypattern-example
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-admin-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-admin-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-admin-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-admin-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-example-cluster-admin-rolebinding
-  # We need to have this before anything else or the sync might get stuck forever
-  # due to permission issues
-  annotations:
-    argocd.argoproj.io/sync-wave: "-100"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: example-gitops-argocd-application-controller
-    namespace: mypattern-example
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: example-gitops-argocd-server
-    namespace: mypattern-example
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: example-gitops-argocd-dex-server
-    namespace: mypattern-example
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "234"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-example
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: fetch-ca
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
-                ls -l /tmp/ca-bundles/
-              volumeMounts:
-              - mountPath: /var/run/kube-root-ca
-                name: kube-root-ca
-              - mountPath: /var/run/trusted-ca
-                name: trusted-ca-bundle
-              - mountPath: /var/run/trusted-hub
-                name: trusted-hub-bundle
-              - mountPath: /tmp/ca-bundles
-                name: ca-bundles            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-              - name: ca-bundles
-                mountPath: /etc/pki/tls/certs
-              command:
-              - 'sh'
-              - '-c'
-              - >-
-                if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
-                  URL="https://github.com/pattern-clone/mypattern";
-                else
-                  if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then
-                    U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')";
-                    P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
-                  else
-                    S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')";
-                    mkdir -p --mode 0700 "${HOME}/.ssh";
-                    echo "${S}" > "${HOME}/.ssh/id_rsa";
-                    chmod 0600 "${HOME}/.ssh/id_rsa";
-                    URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/");
-                    git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
-                  fi;
-                fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi;
-                OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)";
-                if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi;
-                if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi;
-                mkdir /git/{repo,home};
-                git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo;
-                chmod 0770 /git/{repo,home};
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-                - mountPath: /var/run/kube-root-ca
-                  name: kube-root-ca
-                - mountPath: /var/run/trusted-ca
-                  name: trusted-ca-bundle
-                - mountPath: /var/run/trusted-hub
-                  name: trusted-hub-bundle
-                - mountPath: /tmp/ca-bundles
-                  name: ca-bundles
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:            
-            - name: git
-              emptyDir: {}
-            - name: values-volume
-              configMap:
-                name: helm-values-configmap-example
-            - configMap:
-                name: kube-root-ca.crt
-              name: kube-root-ca
-            - configMap:
-                name: trusted-ca-bundle
-                optional: true
-              name: trusted-ca-bundle
-            - configMap:
-                name: trusted-hub-bundle
-                optional: true
-              name: trusted-hub-bundle
-            - name: ca-bundles
-              emptyDir: {}
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: argo-edge
-  namespace: openshift-gitops
-spec:
-  description: "Cluster Group argo-edge"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: datacenter
-  namespace: mypattern-example
-spec:
-  description: "Pattern datacenter"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: acm
-  namespace: mypattern-example
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: open-cluster-management
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/acm
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-example.yaml"
-      - "/values-4.12-example.yaml" 
-      - "/values/aws.yaml"
-      - "/values/4.12.yaml"
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  ignoreDifferences: [
-  {
-    "group": "internal.open-cluster-management.io",
-    "jsonPointers": [
-      "/spec/loggingCA"
-    ],
-    "kind": "ManagedClusterInfo"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: pipelines
-  namespace: mypattern-example
-  labels:
-    validatedpatterns.io/pattern: mypattern
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: application-ci
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/pipelines
-    helm:
-      ignoreMissingValueFiles: true
-      values: |
-        extraParametersNested:
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      - "/values-aws.yaml"
-      - "/values-aws-4.12.yaml"
-      - "/values-aws-example.yaml"
-      - "/values-4.12-example.yaml" 
-      - "/values/aws.yaml"
-      - "/values/4.12.yaml"
-      - "/values/4.12/aws.yaml"
-      parameters:
-        - name: global.repoURL
-          value: https://github.com/pattern-clone/mypattern
-        - name: global.targetRevision
-          value: main
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: "4.12"
-        - name: global.clusterPlatform
-          value: "aws"
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.multiSourceSupport
-          value: 
-        - name: global.multiSourceRepoUrl
-          value: 
-        - name: global.multiSourceTargetRevision
-          value: 
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.privateRepo
-          value: 
-        - name: global.experimentalCapabilities
-          value: 
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-perth
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.perth1.beekhof.net
-      - name: global.clusterDomain
-        value: perth1.beekhof.net
-      - name: enabled
-        value: core
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: perth
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_perth
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: perth
-    namespace: mypattern-argo-edge
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-perth-plumbing
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.perth1.beekhof.net
-      - name: global.clusterDomain
-        value: perth1.beekhof.net
-      - name: enabled
-        value: plumbing
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: perth
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_perth
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: in-cluster
-    namespace: openshift-gitops
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-sydney
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.syd.beekhof.net
-      - name: global.clusterDomain
-        value: syd.beekhof.net
-      - name: enabled
-        value: core
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: sydney
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_sydney
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: sydney
-    namespace: mypattern-argo-edge
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-sydney-plumbing
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.syd.beekhof.net
-      - name: global.clusterDomain
-        value: syd.beekhof.net
-      - name: enabled
-        value: plumbing
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: sydney
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_sydney
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: in-cluster
-    namespace: openshift-gitops
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1beta1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: example-gitops
-  namespace: mypattern-example
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceHealthChecks:
-  - kind: PersistentVolumeClaim
-    check: |
-      hs = {}
-      if obj.status ~= nil then
-        if obj.status.phase ~= nil then
-          if obj.status.phase == "Pending" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          elseif obj.status.phase == "Bound" then
-            hs.status = "Healthy"
-            hs.message = obj.status.phase
-            return hs
-          end
-        end
-      end
-      hs.status = "Progressing"
-      hs.message = "Waiting for PVC"
-      return hs
-
-  resourceTrackingMethod: label
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    initContainers:
-    - command:
-      - bash
-      - -c
-      - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
-      image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
-      name: fetch-ca
-      resources: {}
-      volumeMounts:
-      - mountPath: /var/run/kube-root-ca
-        name: kube-root-ca
-      - mountPath: /var/run/trusted-ca
-        name: trusted-ca-bundle
-      - mountPath: /var/run/trusted-hub
-        name: trusted-hub-bundle
-      - mountPath: /tmp/ca-bundles
-        name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    volumeMounts:
-    - mountPath: /etc/pki/tls/certs
-      name: ca-bundles
-    volumes:
-    - configMap:
-        name: kube-root-ca.crt
-      name: kube-root-ca
-    - configMap:
-        name: trusted-ca-bundle
-        optional: true
-      name: trusted-ca-bundle
-    - configMap:
-        name: trusted-hub-bundle
-        optional: true
-      name: trusted-hub-bundle
-    - emptyDir: {}
-      name: ca-bundles
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions:  |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: example-gitops-link
-  namespace: mypattern-example
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://example-gitops-server-mypattern-example.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Example ArgoCD'
----
-# Source: clustergroup/templates/core/nodes.yaml
-apiVersion: v1
-kind: Node
-metadata:
-  name: m-m00.cluster.example.tld
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-    cluster.ocs.openshift.io/openshift-storage: ""
----
-# Source: clustergroup/templates/core/nodes.yaml
-apiVersion: v1
-kind: Node
-metadata:
-  name: m-m01.cluster.example.tld
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-    cluster.ocs.openshift.io/openshift-storage: ""
----
-# Source: clustergroup/templates/core/nodes.yaml
-apiVersion: v1
-kind: Node
-metadata:
-  name: m-m02.cluster.example.tld
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-    cluster.ocs.openshift.io/openshift-storage: ""
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: application-ci-operator-group
-  namespace: application-ci
-spec:
-  targetNamespaces:
-  - application-ci
-  - other-namespace
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: exclude-targetns-operator-group
-  namespace: exclude-targetns
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: include-ci-operator-group
-  namespace: include-ci
-spec:
-  targetNamespaces:
-  - include-ci
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: include-default-og-operator-group
-  namespace: include-default-og
-spec:
-  targetNamespaces:
-  - include-default-og
----
-# Source: clustergroup/templates/core/scheduler.yaml
-apiVersion: config.openshift.io/v1
-kind: Scheduler
-metadata:
-  name: cluster
-spec:
-  mastersSchedulable: true
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: advanced-cluster-management
-  namespace: open-cluster-management
-spec:
-  name: advanced-cluster-management
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: release-2.4
-  installPlanApproval: Automatic
-  startingCSV: advanced-cluster-management.v2.4.1
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-pipelines-operator-rh
-  namespace: openshift-operators
-spec:
-  name: openshift-pipelines-operator-rh
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  installPlanApproval: Automatic
-  startingCSV: redhat-openshift-pipelines.v1.5.2
diff --git a/tests/common-examples-blank-naked.expected.yaml b/tests/common-examples-blank-naked.expected.yaml
deleted file mode 100644
index 51a92e5d..00000000
--- a/tests/common-examples-blank-naked.expected.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# Source: blank/templates/manifest.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: example
diff --git a/tests/common-examples-blank-normal.expected.yaml b/tests/common-examples-blank-normal.expected.yaml
deleted file mode 100644
index 51a92e5d..00000000
--- a/tests/common-examples-blank-normal.expected.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# Source: blank/templates/manifest.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: example
diff --git a/tests/common-examples-kustomize-renderer-naked.expected.yaml b/tests/common-examples-kustomize-renderer-naked.expected.yaml
deleted file mode 100644
index 0aa7ee5d..00000000
--- a/tests/common-examples-kustomize-renderer-naked.expected.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-# Source: example/templates/environment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: environment
-data:
-  IMAGE_PROVIDER: 
-  IMAGE_ACCOUNT: PLAINTEXT
-  GIT_EMAIL: SOMEWHERE@EXAMPLE.COM
-  GIT_DEV_REPO_URL: https:///PLAINTEXT/manuela-dev.git
-  GIT_DEV_REPO_REVISION: main
-  GIT_OPS_REPO_TEST_URL: 
-  GIT_OPS_REPO_TEST_REVISION: 
-  GIT_OPS_REPO_PROD_URL: 
-  GIT_OPS_REPO_PROD_REVISION: 
-  IOT_CONSUMER_IMAGE: iot-consumer
-  IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag
-  IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml
-  IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml
-  IOT_FRONTEND_IMAGE: iot-frontend
-  IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag
-  IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml
-  IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml
-  IOT_SWSENSOR_IMAGE: iot-software-sensor
-  IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag
-  IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml
-  IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml
-  IOT_ANOMALY_IMAGE: iot-anomaly-detection
-  IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag
-  IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml
-  IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml
diff --git a/tests/common-examples-kustomize-renderer-normal.expected.yaml b/tests/common-examples-kustomize-renderer-normal.expected.yaml
deleted file mode 100644
index caa4c08d..00000000
--- a/tests/common-examples-kustomize-renderer-normal.expected.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-# Source: example/templates/environment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: environment
-data:
-  IMAGE_PROVIDER: 
-  IMAGE_ACCOUNT: PLAINTEXT
-  GIT_EMAIL: SOMEWHERE@EXAMPLE.COM
-  GIT_DEV_REPO_URL: https:///PLAINTEXT/manuela-dev.git
-  GIT_DEV_REPO_REVISION: main
-  GIT_OPS_REPO_TEST_URL: https://github.com/pattern-clone/mypattern
-  GIT_OPS_REPO_TEST_REVISION: 
-  GIT_OPS_REPO_PROD_URL: https://github.com/pattern-clone/mypattern
-  GIT_OPS_REPO_PROD_REVISION: 
-  IOT_CONSUMER_IMAGE: iot-consumer
-  IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag
-  IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml
-  IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml
-  IOT_FRONTEND_IMAGE: iot-frontend
-  IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag
-  IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml
-  IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml
-  IOT_SWSENSOR_IMAGE: iot-software-sensor
-  IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag
-  IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml
-  IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml
-  IOT_ANOMALY_IMAGE: iot-anomaly-detection
-  IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag
-  IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml
-  IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml
diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 19c1f8c0..00000000
--- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,13143 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ACRAccessToken returns a Azure Container Registry token
-            that can be used for pushing/pulling images.
-            Note: by default it will return an ACR Refresh Token with full access
-            (depending on the identity).
-            This can be scoped down to the repository level using .spec.scope.
-            In case scope is defined it will return an ACR Access Token.
-
-
-            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                ACRAccessTokenSpec defines how to generate the access token
-                e.g. how to authenticate and which registry to use.
-                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: |-
-                            Configuration used to authenticate with Azure using static
-                            credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: |-
-                    EnvironmentType specifies the Azure cloud environment endpoints to use for
-                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: |-
-                    the domain name of the ACR registry
-                    e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: |-
-                    Define the scope for the access token, e.g. pull/push access for a repository.
-                    if not provided it will return a refresh token that has full scope.
-                    Note: you need to pin it down to the repository level, there is no wildcard available.
-
-
-                    examples:
-                    repository:my-repository:pull,push
-                    repository:my-repository:pull
-
-
-                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshTime
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretMetadata:
-                  description: The metadata of the external secrets to be created
-                  properties:
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    labels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: |-
-                              RemoteRef points to the remote secret and defines
-                              which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: |-
-                              SecretKey defines the key in which the controller stores
-                              the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: |-
-                              SourceRef allows you to override the source
-                              from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: |-
-                                  GeneratorRef points to a generator custom resource.
-
-
-                                  Deprecated: The generatorRef is not implemented in .data[].
-                                  this will be removed with v1.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: |-
-                        DataFrom is used to fetch all properties from a specific Provider data
-                        If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: |-
-                              Used to extract multiple key/value pairs from one secret
-                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: |-
-                              Used to find secrets based on tags or regular expressions
-                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: |-
-                              Used to rewrite secret Keys after getting them from the secret Provider
-                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: |-
-                                    Used to rewrite with regular expressions.
-                                    The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                                transform:
-                                  description: |-
-                                    Used to apply string transformation on the secrets.
-                                    The resulting key will be the output of the template applied by the operation.
-                                  properties:
-                                    template:
-                                      description: |-
-                                        Used to define the template to apply on the secret name.
-                                        `.value ` will specify the secret name in the template.
-                                      type: string
-                                  required:
-                                    - template
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: |-
-                              SourceRef points to a store or generator
-                              which contains secret values ready to use.
-                              Use this in combination with Extract or Find pull values out of
-                              a specific SecretStore.
-                              When sourceRef points to a generator Extract or Find is not supported.
-                              The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: |-
-                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                        May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: |-
-                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                            Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: |-
-                        ExternalSecretTarget defines the Kubernetes Secret to be created
-                        There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: |-
-                            CreationPolicy defines rules on how to create the resulting Secret
-                            Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: |-
-                            DeletionPolicy defines rules on how to delete the resulting Secret
-                            Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: |-
-                            Name defines the name of the Secret resource to be managed
-                            This field is immutable
-                            Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              description: |-
-                                EngineVersion specifies the template engine version
-                                that should be used to compile/execute the
-                                template specified in .data and .templateFrom[].
-                              enum:
-                                - v1
-                                - v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              enum:
-                                - Replace
-                                - Merge
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    enum:
-                                      - Data
-                                      - Annotations
-                                      - Labels
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                namespaceSelectors:
-                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-                  items:
-                    description: |-
-                      A label selector is a label query over a set of resources. The result of matchLabels and
-                      matchExpressions are ANDed. An empty label selector matches all objects. A null
-                      label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: |-
-                            A label selector requirement is a selector that contains values, a key, and an operator that
-                            relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: |-
-                                operator represents a key's relationship to a set of values.
-                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: |-
-                                values is an array of string values. If the operator is In or NotIn,
-                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                the values array must be empty. This array is replaced during a strategic
-                                merge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: |-
-                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  items:
-                    type: string
-                  type: array
-                refreshTime:
-                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                externalSecretName:
-                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-                  type: string
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-            authorization token.
-            The authorization token is valid for 12 hours.
-            The authorizationToken returned is a base64 encoded string that can be decoded
-            and used in a docker login command to authenticate to a registry.
-            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: |-
-                        AWSAuthSecretRef holds secret references for AWS credentials
-                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: |-
-                            The SessionToken used for authentication
-                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: |-
-                    You can assume a role before making calls to the
-                    desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        enum:
-                          - Default
-                          - Unicode
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Merge
-                        - None
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: |-
-                          RemoteRef points to the remote secret and defines
-                          which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: |-
-                          SecretKey defines the key in which the controller stores
-                          the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: |-
-                          SourceRef allows you to override the source
-                          from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: |-
-                              GeneratorRef points to a generator custom resource.
-
-
-                              Deprecated: The generatorRef is not implemented in .data[].
-                              this will be removed with v1.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: |-
-                          Used to extract multiple key/value pairs from one secret
-                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: |-
-                          Used to find secrets based on tags or regular expressions
-                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: |-
-                          Used to rewrite secret Keys after getting them from the secret Provider
-                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: |-
-                                Used to rewrite with regular expressions.
-                                The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                            transform:
-                              description: |-
-                                Used to apply string transformation on the secrets.
-                                The resulting key will be the output of the template applied by the operation.
-                              properties:
-                                template:
-                                  description: |-
-                                    Used to define the template to apply on the secret name.
-                                    `.value ` will specify the secret name in the template.
-                                  type: string
-                              required:
-                                - template
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: |-
-                          SourceRef points to a store or generator
-                          which contains secret values ready to use.
-                          Use this in combination with Extract or Find pull values out of
-                          a specific SecretStore.
-                          When sourceRef points to a generator Extract or Find is not supported.
-                          The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: |-
-                        DeletionPolicy defines rules on how to delete the resulting Secret
-                        Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          enum:
-                            - Replace
-                            - Merge
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Fake generator is used for testing. It lets you define
-            a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: |-
-                    Data defines the static data returned
-                    by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            GCRAccessToken generates an GCP access token
-            that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: githubaccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - githubaccesstoken
-    kind: GithubAccessToken
-    listKind: GithubAccessTokenList
-    plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
-    singular: githubaccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GithubAccessToken generates ghs_ accessToken
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                appID:
-                  type: string
-                auth:
-                  description: Auth configures how ESO authenticates with a Github instance.
-                  properties:
-                    privateKey:
-                      properties:
-                        secretRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                  required:
-                    - privateKey
-                  type: object
-                installID:
-                  type: string
-                url:
-                  description: URL configures the Github instance URL. Defaults to https://github.com/.
-                  type: string
-              required:
-                - appID
-                - auth
-                - installID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Password generates a random password based on the
-            configuration parameters in spec.
-            You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: |-
-                    Digits specifies the number of digits in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: |-
-                    Length of the password to be generated.
-                    Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: |-
-                    SymbolCharacters specifies the special characters that should be used
-                    in the generated password.
-                  type: string
-                symbols:
-                  description: |-
-                    Symbols specifies the number of symbol characters in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      conversionStrategy:
-                        default: None
-                        description: Used to define a conversion Strategy for the secret keys
-                        enum:
-                          - None
-                          - ReverseUnicode
-                        type: string
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                        type: object
-                      metadata:
-                        description: |-
-                          Metadata is metadata attached to the secret.
-                          The structure of metadata is provider specific, please look it up in the provider documentation.
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  enum:
-                    - Delete
-                    - None
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-                template:
-                  description: Template defines a blueprint for the created Secret resource.
-                  properties:
-                    data:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    engineVersion:
-                      default: v2
-                      description: |-
-                        EngineVersion specifies the template engine version
-                        that should be used to compile/execute the
-                        template specified in .data and .templateFrom[].
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                    mergePolicy:
-                      default: Replace
-                      enum:
-                        - Replace
-                        - Merge
-                      type: string
-                    metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                      properties:
-                        annotations:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        labels:
-                          additionalProperties:
-                            type: string
-                          type: object
-                      type: object
-                    templateFrom:
-                      items:
-                        properties:
-                          configMap:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          literal:
-                            type: string
-                          secret:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          target:
-                            default: Data
-                            enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                            type: string
-                        type: object
-                      type: array
-                    type:
-                      type: string
-                  type: object
-                updatePolicy:
-                  default: Replace
-                  description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
-                  enum:
-                    - Replace
-                    - IfNotExists
-                  type: string
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        conversionStrategy:
-                          default: None
-                          description: Used to define a conversion Strategy for the secret keys
-                          enum:
-                            - None
-                            - ReverseUnicode
-                          type: string
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                          type: object
-                        metadata:
-                          description: |-
-                            Metadata is metadata attached to the secret.
-                            The structure of metadata is provider specific, please look it up in the provider documentation.
-                          x-kubernetes-preserve-unknown-fields: true
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: |-
-                    Synced PushSecrets, including secrets that already exist in provider.
-                    Matches secret stores to PushSecretData that was stored to that secret store.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: |-
-                                Path where the App Role authentication backend is mounted
-                                in Vault, e.g: "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role ID used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: |-
-                            Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                            Cert authentication method
-                          properties:
-                            clientCert:
-                              description: |-
-                                ClientCert is a certificate to authenticate using the Cert Vault
-                                authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing client private key to
-                                authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: |-
-                            Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                            AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: |-
-                            Jwt authenticates with Vault by passing role and JWT token using the
-                            JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: |-
-                                Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Optional audiences field that will be used to request a temporary Kubernetes service
-                                    account token for the service account referenced by `serviceAccountRef`.
-                                    Defaults to a single audience `vault` it not specified.
-                                    Deprecated: use serviceAccountRef.Audiences instead
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: |-
-                                    Optional expiration time in seconds that will be used to request a temporary
-                                    Kubernetes service account token for the service account referenced by
-                                    `serviceAccountRef`.
-                                    Deprecated: this will be removed in the future.
-                                    Defaults to 10 minutes.
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: |-
-                                Path where the JWT authentication backend is mounted
-                                in Vault, e.g: "jwt"
-                              type: string
-                            role:
-                              description: |-
-                                Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                authentication method
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: |-
-                                Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                "kubernetes"
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. If a name is specified without a key,
-                                `token` is the default. If one is not specified, the one bound to
-                                the controller will be used.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: |-
-                                Optional service account field containing the name of a kubernetes ServiceAccount.
-                                If the service account is specified, the service account secret token JWT will be used
-                                for authenticating with Vault. If the service account selector is not supplied,
-                                the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: |-
-                            Ldap authenticates with Vault by passing username/password pair using
-                            the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: |-
-                                Path where the LDAP authentication backend is mounted
-                                in Vault, e.g: "ldap"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the LDAP
-                                user used to authenticate with Vault using the LDAP authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                            Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                            This will default to Vault.Namespace field if set, or empty otherwise
-                          type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        userPass:
-                          description: UserPass authenticates with Vault by passing username/password pair
-                          properties:
-                            path:
-                              default: user
-                              description: |-
-                                Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the
-                                user used to authenticate with Vault using the UserPass authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                      type: object
-                    caBundle:
-                      description: |-
-                        PEM encoded CA bundle used to validate Vault server certificate. Only used
-                        if the Server URL is using HTTPS protocol. This parameter is ignored for
-                        plain HTTP protocol connection. If not set the system root certificates
-                        are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: |-
-                            The namespace the Provider type is in.
-                            Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: |-
-                        ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                        leader instead of simply retrying within a loop. This can increase performance if
-                        the option is enabled serverside.
-                        https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    headers:
-                      additionalProperties:
-                        type: string
-                      description: Headers to be added in Vault request
-                      type: object
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                        Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault KV backend endpoint, e.g:
-                        "secret". The v2 KV secret engine version specific "/data" path suffix
-                        for fetching secrets from Vault is optional and will be appended
-                        if not present in specified path.
-                      type: string
-                    readYourWrites:
-                      description: |-
-                        ReadYourWrites ensures isolated read-after-write semantics by
-                        providing discovered cluster replication states in each request.
-                        More information about eventual consistency in Vault can be found here
-                        https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    tls:
-                      description: |-
-                        The configuration used for client side related TLS communication, when the Vault server
-                        requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                        This parameter is ignored for plain HTTP protocol connection.
-                        It's worth noting this configuration is different from the "TLS certificates auth method",
-                        which is available under the `auth.cert` section.
-                      properties:
-                        certSecretRef:
-                          description: |-
-                            CertSecretRef is a certificate added to the transport layer
-                            when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        keySecretRef:
-                          description: |-
-                            KeySecretRef to a key in a Secret resource containing client private key
-                            added to the transport layer when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    version:
-                      default: v2
-                      description: |-
-                        Version is the Vault KV secret engine version. This can be either "v1" or
-                        "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: |-
-                    Result type defines which data is returned from the generator.
-                    By default it is the "data" section of the Vault API response.
-                    When using e.g. /auth/token/create the "data" section is empty but
-                    the "auth" section contains the generated token.
-                    Please refer to the vault docs regarding the result data structure.
-                  enum:
-                    - Data
-                    - Auth
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: webhooks.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - webhook
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    shortNames:
-      - webhookl
-    singular: webhook
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Webhook connects to a third party API server to handle the secrets generation
-            configuration parameters in spec.
-            You can specify the server, the token, and additional body parameters.
-            See documentation for the full API specification for requests and responses.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
-              properties:
-                body:
-                  description: Body
-                  type: string
-                caBundle:
-                  description: |-
-                    PEM encoded CA bundle used to validate webhook server certificate. Only used
-                    if the Server URL is using HTTPS protocol. This parameter is ignored for
-                    plain HTTP protocol connection. If not set the system root certificates
-                    are used to validate the TLS connection.
-                  format: byte
-                  type: string
-                caProvider:
-                  description: The provider for the CA bundle to use to validate webhook server certificate.
-                  properties:
-                    key:
-                      description: The key the value inside of the provider type to use, only used with "Secret" type
-                      type: string
-                    name:
-                      description: The name of the object located at the provider type.
-                      type: string
-                    namespace:
-                      description: The namespace the Provider type is in.
-                      type: string
-                    type:
-                      description: The type of provider to use such as "Secret", or "ConfigMap".
-                      enum:
-                        - Secret
-                        - ConfigMap
-                      type: string
-                  required:
-                    - name
-                    - type
-                  type: object
-                headers:
-                  additionalProperties:
-                    type: string
-                  description: Headers
-                  type: object
-                method:
-                  description: Webhook Method
-                  type: string
-                result:
-                  description: Result formatting
-                  properties:
-                    jsonPath:
-                      description: Json path of return value
-                      type: string
-                  type: object
-                secrets:
-                  description: |-
-                    Secrets to fill in templates
-                    These secrets will be passed to the templating function as key value pairs under the given name
-                  items:
-                    properties:
-                      name:
-                        description: Name of this secret in templates
-                        type: string
-                      secretRef:
-                        description: Secret ref to fill in credentials
-                        properties:
-                          key:
-                            description: The key where the token is found.
-                            type: string
-                          name:
-                            description: The name of the Secret resource being referred to.
-                            type: string
-                        type: object
-                    required:
-                      - name
-                      - secretRef
-                    type: object
-                  type: array
-                timeout:
-                  description: Timeout
-                  type: string
-                url:
-                  description: Webhook url to call
-                  type: string
-              required:
-                - result
-                - url
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-controller
-subjects:
-  - name: common-golang-external-secrets
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: common-golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: common-golang-external-secrets
-    namespace: default
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=common-golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=common-golang-external-secrets-webhook
-          - --secret-namespace=default
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          - --enable-partial-cache=true
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: common-golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          - --metrics-addr=:8080
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-      dnsPolicy: ClusterFirst
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=common-golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: common-golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: Secret
-        name: hub-ca
-        key: hub-kube-root-ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: region.example.com
-          role: region.example.com-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 056054ba..00000000
--- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,13143 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ACRAccessToken returns a Azure Container Registry token
-            that can be used for pushing/pulling images.
-            Note: by default it will return an ACR Refresh Token with full access
-            (depending on the identity).
-            This can be scoped down to the repository level using .spec.scope.
-            In case scope is defined it will return an ACR Access Token.
-
-
-            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                ACRAccessTokenSpec defines how to generate the access token
-                e.g. how to authenticate and which registry to use.
-                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: |-
-                            Configuration used to authenticate with Azure using static
-                            credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: |-
-                    EnvironmentType specifies the Azure cloud environment endpoints to use for
-                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: |-
-                    the domain name of the ACR registry
-                    e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: |-
-                    Define the scope for the access token, e.g. pull/push access for a repository.
-                    if not provided it will return a refresh token that has full scope.
-                    Note: you need to pin it down to the repository level, there is no wildcard available.
-
-
-                    examples:
-                    repository:my-repository:pull,push
-                    repository:my-repository:pull
-
-
-                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshTime
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretMetadata:
-                  description: The metadata of the external secrets to be created
-                  properties:
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    labels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: |-
-                              RemoteRef points to the remote secret and defines
-                              which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: |-
-                              SecretKey defines the key in which the controller stores
-                              the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: |-
-                              SourceRef allows you to override the source
-                              from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: |-
-                                  GeneratorRef points to a generator custom resource.
-
-
-                                  Deprecated: The generatorRef is not implemented in .data[].
-                                  this will be removed with v1.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: |-
-                        DataFrom is used to fetch all properties from a specific Provider data
-                        If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: |-
-                              Used to extract multiple key/value pairs from one secret
-                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: |-
-                              Used to find secrets based on tags or regular expressions
-                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: |-
-                              Used to rewrite secret Keys after getting them from the secret Provider
-                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: |-
-                                    Used to rewrite with regular expressions.
-                                    The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                                transform:
-                                  description: |-
-                                    Used to apply string transformation on the secrets.
-                                    The resulting key will be the output of the template applied by the operation.
-                                  properties:
-                                    template:
-                                      description: |-
-                                        Used to define the template to apply on the secret name.
-                                        `.value ` will specify the secret name in the template.
-                                      type: string
-                                  required:
-                                    - template
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: |-
-                              SourceRef points to a store or generator
-                              which contains secret values ready to use.
-                              Use this in combination with Extract or Find pull values out of
-                              a specific SecretStore.
-                              When sourceRef points to a generator Extract or Find is not supported.
-                              The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: |-
-                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                        May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: |-
-                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                            Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: |-
-                        ExternalSecretTarget defines the Kubernetes Secret to be created
-                        There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: |-
-                            CreationPolicy defines rules on how to create the resulting Secret
-                            Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: |-
-                            DeletionPolicy defines rules on how to delete the resulting Secret
-                            Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: |-
-                            Name defines the name of the Secret resource to be managed
-                            This field is immutable
-                            Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              description: |-
-                                EngineVersion specifies the template engine version
-                                that should be used to compile/execute the
-                                template specified in .data and .templateFrom[].
-                              enum:
-                                - v1
-                                - v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              enum:
-                                - Replace
-                                - Merge
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    enum:
-                                      - Data
-                                      - Annotations
-                                      - Labels
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                namespaceSelectors:
-                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-                  items:
-                    description: |-
-                      A label selector is a label query over a set of resources. The result of matchLabels and
-                      matchExpressions are ANDed. An empty label selector matches all objects. A null
-                      label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: |-
-                            A label selector requirement is a selector that contains values, a key, and an operator that
-                            relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: |-
-                                operator represents a key's relationship to a set of values.
-                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: |-
-                                values is an array of string values. If the operator is In or NotIn,
-                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                the values array must be empty. This array is replaced during a strategic
-                                merge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: |-
-                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  items:
-                    type: string
-                  type: array
-                refreshTime:
-                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                externalSecretName:
-                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-                  type: string
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-            authorization token.
-            The authorization token is valid for 12 hours.
-            The authorizationToken returned is a base64 encoded string that can be decoded
-            and used in a docker login command to authenticate to a registry.
-            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: |-
-                        AWSAuthSecretRef holds secret references for AWS credentials
-                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: |-
-                            The SessionToken used for authentication
-                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: |-
-                    You can assume a role before making calls to the
-                    desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        enum:
-                          - Default
-                          - Unicode
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Merge
-                        - None
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: |-
-                          RemoteRef points to the remote secret and defines
-                          which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: |-
-                          SecretKey defines the key in which the controller stores
-                          the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: |-
-                          SourceRef allows you to override the source
-                          from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: |-
-                              GeneratorRef points to a generator custom resource.
-
-
-                              Deprecated: The generatorRef is not implemented in .data[].
-                              this will be removed with v1.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: |-
-                          Used to extract multiple key/value pairs from one secret
-                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: |-
-                          Used to find secrets based on tags or regular expressions
-                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: |-
-                          Used to rewrite secret Keys after getting them from the secret Provider
-                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: |-
-                                Used to rewrite with regular expressions.
-                                The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                            transform:
-                              description: |-
-                                Used to apply string transformation on the secrets.
-                                The resulting key will be the output of the template applied by the operation.
-                              properties:
-                                template:
-                                  description: |-
-                                    Used to define the template to apply on the secret name.
-                                    `.value ` will specify the secret name in the template.
-                                  type: string
-                              required:
-                                - template
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: |-
-                          SourceRef points to a store or generator
-                          which contains secret values ready to use.
-                          Use this in combination with Extract or Find pull values out of
-                          a specific SecretStore.
-                          When sourceRef points to a generator Extract or Find is not supported.
-                          The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: |-
-                        DeletionPolicy defines rules on how to delete the resulting Secret
-                        Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          enum:
-                            - Replace
-                            - Merge
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Fake generator is used for testing. It lets you define
-            a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: |-
-                    Data defines the static data returned
-                    by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            GCRAccessToken generates an GCP access token
-            that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: githubaccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - githubaccesstoken
-    kind: GithubAccessToken
-    listKind: GithubAccessTokenList
-    plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
-    singular: githubaccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GithubAccessToken generates ghs_ accessToken
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                appID:
-                  type: string
-                auth:
-                  description: Auth configures how ESO authenticates with a Github instance.
-                  properties:
-                    privateKey:
-                      properties:
-                        secretRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                  required:
-                    - privateKey
-                  type: object
-                installID:
-                  type: string
-                url:
-                  description: URL configures the Github instance URL. Defaults to https://github.com/.
-                  type: string
-              required:
-                - appID
-                - auth
-                - installID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Password generates a random password based on the
-            configuration parameters in spec.
-            You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: |-
-                    Digits specifies the number of digits in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: |-
-                    Length of the password to be generated.
-                    Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: |-
-                    SymbolCharacters specifies the special characters that should be used
-                    in the generated password.
-                  type: string
-                symbols:
-                  description: |-
-                    Symbols specifies the number of symbol characters in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      conversionStrategy:
-                        default: None
-                        description: Used to define a conversion Strategy for the secret keys
-                        enum:
-                          - None
-                          - ReverseUnicode
-                        type: string
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                        type: object
-                      metadata:
-                        description: |-
-                          Metadata is metadata attached to the secret.
-                          The structure of metadata is provider specific, please look it up in the provider documentation.
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  enum:
-                    - Delete
-                    - None
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-                template:
-                  description: Template defines a blueprint for the created Secret resource.
-                  properties:
-                    data:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    engineVersion:
-                      default: v2
-                      description: |-
-                        EngineVersion specifies the template engine version
-                        that should be used to compile/execute the
-                        template specified in .data and .templateFrom[].
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                    mergePolicy:
-                      default: Replace
-                      enum:
-                        - Replace
-                        - Merge
-                      type: string
-                    metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                      properties:
-                        annotations:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        labels:
-                          additionalProperties:
-                            type: string
-                          type: object
-                      type: object
-                    templateFrom:
-                      items:
-                        properties:
-                          configMap:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          literal:
-                            type: string
-                          secret:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          target:
-                            default: Data
-                            enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                            type: string
-                        type: object
-                      type: array
-                    type:
-                      type: string
-                  type: object
-                updatePolicy:
-                  default: Replace
-                  description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
-                  enum:
-                    - Replace
-                    - IfNotExists
-                  type: string
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        conversionStrategy:
-                          default: None
-                          description: Used to define a conversion Strategy for the secret keys
-                          enum:
-                            - None
-                            - ReverseUnicode
-                          type: string
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                          type: object
-                        metadata:
-                          description: |-
-                            Metadata is metadata attached to the secret.
-                            The structure of metadata is provider specific, please look it up in the provider documentation.
-                          x-kubernetes-preserve-unknown-fields: true
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: |-
-                    Synced PushSecrets, including secrets that already exist in provider.
-                    Matches secret stores to PushSecretData that was stored to that secret store.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: |-
-                                Path where the App Role authentication backend is mounted
-                                in Vault, e.g: "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role ID used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: |-
-                            Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                            Cert authentication method
-                          properties:
-                            clientCert:
-                              description: |-
-                                ClientCert is a certificate to authenticate using the Cert Vault
-                                authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing client private key to
-                                authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: |-
-                            Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                            AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: |-
-                            Jwt authenticates with Vault by passing role and JWT token using the
-                            JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: |-
-                                Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Optional audiences field that will be used to request a temporary Kubernetes service
-                                    account token for the service account referenced by `serviceAccountRef`.
-                                    Defaults to a single audience `vault` it not specified.
-                                    Deprecated: use serviceAccountRef.Audiences instead
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: |-
-                                    Optional expiration time in seconds that will be used to request a temporary
-                                    Kubernetes service account token for the service account referenced by
-                                    `serviceAccountRef`.
-                                    Deprecated: this will be removed in the future.
-                                    Defaults to 10 minutes.
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: |-
-                                Path where the JWT authentication backend is mounted
-                                in Vault, e.g: "jwt"
-                              type: string
-                            role:
-                              description: |-
-                                Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                authentication method
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: |-
-                                Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                "kubernetes"
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. If a name is specified without a key,
-                                `token` is the default. If one is not specified, the one bound to
-                                the controller will be used.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: |-
-                                Optional service account field containing the name of a kubernetes ServiceAccount.
-                                If the service account is specified, the service account secret token JWT will be used
-                                for authenticating with Vault. If the service account selector is not supplied,
-                                the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: |-
-                            Ldap authenticates with Vault by passing username/password pair using
-                            the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: |-
-                                Path where the LDAP authentication backend is mounted
-                                in Vault, e.g: "ldap"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the LDAP
-                                user used to authenticate with Vault using the LDAP authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                            Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                            This will default to Vault.Namespace field if set, or empty otherwise
-                          type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        userPass:
-                          description: UserPass authenticates with Vault by passing username/password pair
-                          properties:
-                            path:
-                              default: user
-                              description: |-
-                                Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the
-                                user used to authenticate with Vault using the UserPass authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                      type: object
-                    caBundle:
-                      description: |-
-                        PEM encoded CA bundle used to validate Vault server certificate. Only used
-                        if the Server URL is using HTTPS protocol. This parameter is ignored for
-                        plain HTTP protocol connection. If not set the system root certificates
-                        are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: |-
-                            The namespace the Provider type is in.
-                            Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: |-
-                        ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                        leader instead of simply retrying within a loop. This can increase performance if
-                        the option is enabled serverside.
-                        https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    headers:
-                      additionalProperties:
-                        type: string
-                      description: Headers to be added in Vault request
-                      type: object
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                        Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault KV backend endpoint, e.g:
-                        "secret". The v2 KV secret engine version specific "/data" path suffix
-                        for fetching secrets from Vault is optional and will be appended
-                        if not present in specified path.
-                      type: string
-                    readYourWrites:
-                      description: |-
-                        ReadYourWrites ensures isolated read-after-write semantics by
-                        providing discovered cluster replication states in each request.
-                        More information about eventual consistency in Vault can be found here
-                        https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    tls:
-                      description: |-
-                        The configuration used for client side related TLS communication, when the Vault server
-                        requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                        This parameter is ignored for plain HTTP protocol connection.
-                        It's worth noting this configuration is different from the "TLS certificates auth method",
-                        which is available under the `auth.cert` section.
-                      properties:
-                        certSecretRef:
-                          description: |-
-                            CertSecretRef is a certificate added to the transport layer
-                            when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        keySecretRef:
-                          description: |-
-                            KeySecretRef to a key in a Secret resource containing client private key
-                            added to the transport layer when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    version:
-                      default: v2
-                      description: |-
-                        Version is the Vault KV secret engine version. This can be either "v1" or
-                        "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: |-
-                    Result type defines which data is returned from the generator.
-                    By default it is the "data" section of the Vault API response.
-                    When using e.g. /auth/token/create the "data" section is empty but
-                    the "auth" section contains the generated token.
-                    Please refer to the vault docs regarding the result data structure.
-                  enum:
-                    - Data
-                    - Auth
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: webhooks.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - webhook
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    shortNames:
-      - webhookl
-    singular: webhook
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Webhook connects to a third party API server to handle the secrets generation
-            configuration parameters in spec.
-            You can specify the server, the token, and additional body parameters.
-            See documentation for the full API specification for requests and responses.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
-              properties:
-                body:
-                  description: Body
-                  type: string
-                caBundle:
-                  description: |-
-                    PEM encoded CA bundle used to validate webhook server certificate. Only used
-                    if the Server URL is using HTTPS protocol. This parameter is ignored for
-                    plain HTTP protocol connection. If not set the system root certificates
-                    are used to validate the TLS connection.
-                  format: byte
-                  type: string
-                caProvider:
-                  description: The provider for the CA bundle to use to validate webhook server certificate.
-                  properties:
-                    key:
-                      description: The key the value inside of the provider type to use, only used with "Secret" type
-                      type: string
-                    name:
-                      description: The name of the object located at the provider type.
-                      type: string
-                    namespace:
-                      description: The namespace the Provider type is in.
-                      type: string
-                    type:
-                      description: The type of provider to use such as "Secret", or "ConfigMap".
-                      enum:
-                        - Secret
-                        - ConfigMap
-                      type: string
-                  required:
-                    - name
-                    - type
-                  type: object
-                headers:
-                  additionalProperties:
-                    type: string
-                  description: Headers
-                  type: object
-                method:
-                  description: Webhook Method
-                  type: string
-                result:
-                  description: Result formatting
-                  properties:
-                    jsonPath:
-                      description: Json path of return value
-                      type: string
-                  type: object
-                secrets:
-                  description: |-
-                    Secrets to fill in templates
-                    These secrets will be passed to the templating function as key value pairs under the given name
-                  items:
-                    properties:
-                      name:
-                        description: Name of this secret in templates
-                        type: string
-                      secretRef:
-                        description: Secret ref to fill in credentials
-                        properties:
-                          key:
-                            description: The key where the token is found.
-                            type: string
-                          name:
-                            description: The name of the Secret resource being referred to.
-                            type: string
-                        type: object
-                    required:
-                      - name
-                      - secretRef
-                    type: object
-                  type: array
-                timeout:
-                  description: Timeout
-                  type: string
-                url:
-                  description: Webhook url to call
-                  type: string
-              required:
-                - result
-                - url
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-controller
-subjects:
-  - name: common-golang-external-secrets
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: common-golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: common-golang-external-secrets
-    namespace: default
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=common-golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=common-golang-external-secrets-webhook
-          - --secret-namespace=default
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          - --enable-partial-cache=true
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: common-golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          - --metrics-addr=:8080
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-      dnsPolicy: ClusterFirst
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=common-golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: common-golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 056054ba..00000000
--- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,13143 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ACRAccessToken returns a Azure Container Registry token
-            that can be used for pushing/pulling images.
-            Note: by default it will return an ACR Refresh Token with full access
-            (depending on the identity).
-            This can be scoped down to the repository level using .spec.scope.
-            In case scope is defined it will return an ACR Access Token.
-
-
-            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                ACRAccessTokenSpec defines how to generate the access token
-                e.g. how to authenticate and which registry to use.
-                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: |-
-                            Configuration used to authenticate with Azure using static
-                            credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: |-
-                    EnvironmentType specifies the Azure cloud environment endpoints to use for
-                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: |-
-                    the domain name of the ACR registry
-                    e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: |-
-                    Define the scope for the access token, e.g. pull/push access for a repository.
-                    if not provided it will return a refresh token that has full scope.
-                    Note: you need to pin it down to the repository level, there is no wildcard available.
-
-
-                    examples:
-                    repository:my-repository:pull,push
-                    repository:my-repository:pull
-
-
-                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshTime
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretMetadata:
-                  description: The metadata of the external secrets to be created
-                  properties:
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    labels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: |-
-                              RemoteRef points to the remote secret and defines
-                              which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: |-
-                              SecretKey defines the key in which the controller stores
-                              the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: |-
-                              SourceRef allows you to override the source
-                              from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: |-
-                                  GeneratorRef points to a generator custom resource.
-
-
-                                  Deprecated: The generatorRef is not implemented in .data[].
-                                  this will be removed with v1.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: |-
-                        DataFrom is used to fetch all properties from a specific Provider data
-                        If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: |-
-                              Used to extract multiple key/value pairs from one secret
-                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: |-
-                              Used to find secrets based on tags or regular expressions
-                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: |-
-                              Used to rewrite secret Keys after getting them from the secret Provider
-                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: |-
-                                    Used to rewrite with regular expressions.
-                                    The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                                transform:
-                                  description: |-
-                                    Used to apply string transformation on the secrets.
-                                    The resulting key will be the output of the template applied by the operation.
-                                  properties:
-                                    template:
-                                      description: |-
-                                        Used to define the template to apply on the secret name.
-                                        `.value ` will specify the secret name in the template.
-                                      type: string
-                                  required:
-                                    - template
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: |-
-                              SourceRef points to a store or generator
-                              which contains secret values ready to use.
-                              Use this in combination with Extract or Find pull values out of
-                              a specific SecretStore.
-                              When sourceRef points to a generator Extract or Find is not supported.
-                              The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: |-
-                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                        May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: |-
-                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                            Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: |-
-                        ExternalSecretTarget defines the Kubernetes Secret to be created
-                        There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: |-
-                            CreationPolicy defines rules on how to create the resulting Secret
-                            Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: |-
-                            DeletionPolicy defines rules on how to delete the resulting Secret
-                            Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: |-
-                            Name defines the name of the Secret resource to be managed
-                            This field is immutable
-                            Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              description: |-
-                                EngineVersion specifies the template engine version
-                                that should be used to compile/execute the
-                                template specified in .data and .templateFrom[].
-                              enum:
-                                - v1
-                                - v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              enum:
-                                - Replace
-                                - Merge
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    enum:
-                                      - Data
-                                      - Annotations
-                                      - Labels
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                namespaceSelectors:
-                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-                  items:
-                    description: |-
-                      A label selector is a label query over a set of resources. The result of matchLabels and
-                      matchExpressions are ANDed. An empty label selector matches all objects. A null
-                      label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: |-
-                            A label selector requirement is a selector that contains values, a key, and an operator that
-                            relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: |-
-                                operator represents a key's relationship to a set of values.
-                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: |-
-                                values is an array of string values. If the operator is In or NotIn,
-                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                the values array must be empty. This array is replaced during a strategic
-                                merge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: |-
-                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  items:
-                    type: string
-                  type: array
-                refreshTime:
-                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                externalSecretName:
-                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-                  type: string
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-            authorization token.
-            The authorization token is valid for 12 hours.
-            The authorizationToken returned is a base64 encoded string that can be decoded
-            and used in a docker login command to authenticate to a registry.
-            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: |-
-                        AWSAuthSecretRef holds secret references for AWS credentials
-                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: |-
-                            The SessionToken used for authentication
-                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: |-
-                    You can assume a role before making calls to the
-                    desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        enum:
-                          - Default
-                          - Unicode
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Merge
-                        - None
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: |-
-                          RemoteRef points to the remote secret and defines
-                          which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: |-
-                          SecretKey defines the key in which the controller stores
-                          the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: |-
-                          SourceRef allows you to override the source
-                          from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: |-
-                              GeneratorRef points to a generator custom resource.
-
-
-                              Deprecated: The generatorRef is not implemented in .data[].
-                              this will be removed with v1.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: |-
-                          Used to extract multiple key/value pairs from one secret
-                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: |-
-                          Used to find secrets based on tags or regular expressions
-                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: |-
-                          Used to rewrite secret Keys after getting them from the secret Provider
-                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: |-
-                                Used to rewrite with regular expressions.
-                                The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                            transform:
-                              description: |-
-                                Used to apply string transformation on the secrets.
-                                The resulting key will be the output of the template applied by the operation.
-                              properties:
-                                template:
-                                  description: |-
-                                    Used to define the template to apply on the secret name.
-                                    `.value ` will specify the secret name in the template.
-                                  type: string
-                              required:
-                                - template
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: |-
-                          SourceRef points to a store or generator
-                          which contains secret values ready to use.
-                          Use this in combination with Extract or Find pull values out of
-                          a specific SecretStore.
-                          When sourceRef points to a generator Extract or Find is not supported.
-                          The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: |-
-                        DeletionPolicy defines rules on how to delete the resulting Secret
-                        Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          enum:
-                            - Replace
-                            - Merge
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Fake generator is used for testing. It lets you define
-            a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: |-
-                    Data defines the static data returned
-                    by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            GCRAccessToken generates an GCP access token
-            that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: githubaccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - githubaccesstoken
-    kind: GithubAccessToken
-    listKind: GithubAccessTokenList
-    plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
-    singular: githubaccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GithubAccessToken generates ghs_ accessToken
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                appID:
-                  type: string
-                auth:
-                  description: Auth configures how ESO authenticates with a Github instance.
-                  properties:
-                    privateKey:
-                      properties:
-                        secretRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                  required:
-                    - privateKey
-                  type: object
-                installID:
-                  type: string
-                url:
-                  description: URL configures the Github instance URL. Defaults to https://github.com/.
-                  type: string
-              required:
-                - appID
-                - auth
-                - installID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Password generates a random password based on the
-            configuration parameters in spec.
-            You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: |-
-                    Digits specifies the number of digits in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: |-
-                    Length of the password to be generated.
-                    Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: |-
-                    SymbolCharacters specifies the special characters that should be used
-                    in the generated password.
-                  type: string
-                symbols:
-                  description: |-
-                    Symbols specifies the number of symbol characters in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      conversionStrategy:
-                        default: None
-                        description: Used to define a conversion Strategy for the secret keys
-                        enum:
-                          - None
-                          - ReverseUnicode
-                        type: string
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                        type: object
-                      metadata:
-                        description: |-
-                          Metadata is metadata attached to the secret.
-                          The structure of metadata is provider specific, please look it up in the provider documentation.
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  enum:
-                    - Delete
-                    - None
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-                template:
-                  description: Template defines a blueprint for the created Secret resource.
-                  properties:
-                    data:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    engineVersion:
-                      default: v2
-                      description: |-
-                        EngineVersion specifies the template engine version
-                        that should be used to compile/execute the
-                        template specified in .data and .templateFrom[].
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                    mergePolicy:
-                      default: Replace
-                      enum:
-                        - Replace
-                        - Merge
-                      type: string
-                    metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                      properties:
-                        annotations:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        labels:
-                          additionalProperties:
-                            type: string
-                          type: object
-                      type: object
-                    templateFrom:
-                      items:
-                        properties:
-                          configMap:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          literal:
-                            type: string
-                          secret:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          target:
-                            default: Data
-                            enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                            type: string
-                        type: object
-                      type: array
-                    type:
-                      type: string
-                  type: object
-                updatePolicy:
-                  default: Replace
-                  description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
-                  enum:
-                    - Replace
-                    - IfNotExists
-                  type: string
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        conversionStrategy:
-                          default: None
-                          description: Used to define a conversion Strategy for the secret keys
-                          enum:
-                            - None
-                            - ReverseUnicode
-                          type: string
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                          type: object
-                        metadata:
-                          description: |-
-                            Metadata is metadata attached to the secret.
-                            The structure of metadata is provider specific, please look it up in the provider documentation.
-                          x-kubernetes-preserve-unknown-fields: true
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: |-
-                    Synced PushSecrets, including secrets that already exist in provider.
-                    Matches secret stores to PushSecretData that was stored to that secret store.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: |-
-                                Path where the App Role authentication backend is mounted
-                                in Vault, e.g: "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role ID used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: |-
-                            Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                            Cert authentication method
-                          properties:
-                            clientCert:
-                              description: |-
-                                ClientCert is a certificate to authenticate using the Cert Vault
-                                authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing client private key to
-                                authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: |-
-                            Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                            AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: |-
-                            Jwt authenticates with Vault by passing role and JWT token using the
-                            JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: |-
-                                Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Optional audiences field that will be used to request a temporary Kubernetes service
-                                    account token for the service account referenced by `serviceAccountRef`.
-                                    Defaults to a single audience `vault` it not specified.
-                                    Deprecated: use serviceAccountRef.Audiences instead
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: |-
-                                    Optional expiration time in seconds that will be used to request a temporary
-                                    Kubernetes service account token for the service account referenced by
-                                    `serviceAccountRef`.
-                                    Deprecated: this will be removed in the future.
-                                    Defaults to 10 minutes.
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: |-
-                                Path where the JWT authentication backend is mounted
-                                in Vault, e.g: "jwt"
-                              type: string
-                            role:
-                              description: |-
-                                Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                authentication method
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: |-
-                                Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                "kubernetes"
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. If a name is specified without a key,
-                                `token` is the default. If one is not specified, the one bound to
-                                the controller will be used.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: |-
-                                Optional service account field containing the name of a kubernetes ServiceAccount.
-                                If the service account is specified, the service account secret token JWT will be used
-                                for authenticating with Vault. If the service account selector is not supplied,
-                                the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: |-
-                            Ldap authenticates with Vault by passing username/password pair using
-                            the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: |-
-                                Path where the LDAP authentication backend is mounted
-                                in Vault, e.g: "ldap"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the LDAP
-                                user used to authenticate with Vault using the LDAP authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                            Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                            This will default to Vault.Namespace field if set, or empty otherwise
-                          type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        userPass:
-                          description: UserPass authenticates with Vault by passing username/password pair
-                          properties:
-                            path:
-                              default: user
-                              description: |-
-                                Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the
-                                user used to authenticate with Vault using the UserPass authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                      type: object
-                    caBundle:
-                      description: |-
-                        PEM encoded CA bundle used to validate Vault server certificate. Only used
-                        if the Server URL is using HTTPS protocol. This parameter is ignored for
-                        plain HTTP protocol connection. If not set the system root certificates
-                        are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: |-
-                            The namespace the Provider type is in.
-                            Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: |-
-                        ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                        leader instead of simply retrying within a loop. This can increase performance if
-                        the option is enabled serverside.
-                        https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    headers:
-                      additionalProperties:
-                        type: string
-                      description: Headers to be added in Vault request
-                      type: object
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                        Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault KV backend endpoint, e.g:
-                        "secret". The v2 KV secret engine version specific "/data" path suffix
-                        for fetching secrets from Vault is optional and will be appended
-                        if not present in specified path.
-                      type: string
-                    readYourWrites:
-                      description: |-
-                        ReadYourWrites ensures isolated read-after-write semantics by
-                        providing discovered cluster replication states in each request.
-                        More information about eventual consistency in Vault can be found here
-                        https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    tls:
-                      description: |-
-                        The configuration used for client side related TLS communication, when the Vault server
-                        requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                        This parameter is ignored for plain HTTP protocol connection.
-                        It's worth noting this configuration is different from the "TLS certificates auth method",
-                        which is available under the `auth.cert` section.
-                      properties:
-                        certSecretRef:
-                          description: |-
-                            CertSecretRef is a certificate added to the transport layer
-                            when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        keySecretRef:
-                          description: |-
-                            KeySecretRef to a key in a Secret resource containing client private key
-                            added to the transport layer when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    version:
-                      default: v2
-                      description: |-
-                        Version is the Vault KV secret engine version. This can be either "v1" or
-                        "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: |-
-                    Result type defines which data is returned from the generator.
-                    By default it is the "data" section of the Vault API response.
-                    When using e.g. /auth/token/create the "data" section is empty but
-                    the "auth" section contains the generated token.
-                    Please refer to the vault docs regarding the result data structure.
-                  enum:
-                    - Data
-                    - Auth
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: webhooks.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - webhook
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    shortNames:
-      - webhookl
-    singular: webhook
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Webhook connects to a third party API server to handle the secrets generation
-            configuration parameters in spec.
-            You can specify the server, the token, and additional body parameters.
-            See documentation for the full API specification for requests and responses.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
-              properties:
-                body:
-                  description: Body
-                  type: string
-                caBundle:
-                  description: |-
-                    PEM encoded CA bundle used to validate webhook server certificate. Only used
-                    if the Server URL is using HTTPS protocol. This parameter is ignored for
-                    plain HTTP protocol connection. If not set the system root certificates
-                    are used to validate the TLS connection.
-                  format: byte
-                  type: string
-                caProvider:
-                  description: The provider for the CA bundle to use to validate webhook server certificate.
-                  properties:
-                    key:
-                      description: The key the value inside of the provider type to use, only used with "Secret" type
-                      type: string
-                    name:
-                      description: The name of the object located at the provider type.
-                      type: string
-                    namespace:
-                      description: The namespace the Provider type is in.
-                      type: string
-                    type:
-                      description: The type of provider to use such as "Secret", or "ConfigMap".
-                      enum:
-                        - Secret
-                        - ConfigMap
-                      type: string
-                  required:
-                    - name
-                    - type
-                  type: object
-                headers:
-                  additionalProperties:
-                    type: string
-                  description: Headers
-                  type: object
-                method:
-                  description: Webhook Method
-                  type: string
-                result:
-                  description: Result formatting
-                  properties:
-                    jsonPath:
-                      description: Json path of return value
-                      type: string
-                  type: object
-                secrets:
-                  description: |-
-                    Secrets to fill in templates
-                    These secrets will be passed to the templating function as key value pairs under the given name
-                  items:
-                    properties:
-                      name:
-                        description: Name of this secret in templates
-                        type: string
-                      secretRef:
-                        description: Secret ref to fill in credentials
-                        properties:
-                          key:
-                            description: The key where the token is found.
-                            type: string
-                          name:
-                            description: The name of the Secret resource being referred to.
-                            type: string
-                        type: object
-                    required:
-                      - name
-                      - secretRef
-                    type: object
-                  type: array
-                timeout:
-                  description: Timeout
-                  type: string
-                url:
-                  description: Webhook url to call
-                  type: string
-              required:
-                - result
-                - url
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-controller
-subjects:
-  - name: common-golang-external-secrets
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: common-golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: common-golang-external-secrets
-    namespace: default
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=common-golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=common-golang-external-secrets-webhook
-          - --secret-namespace=default
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          - --enable-partial-cache=true
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: common-golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          - --metrics-addr=:8080
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-      dnsPolicy: ClusterFirst
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=common-golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: common-golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml
deleted file mode 100644
index 3d12586b..00000000
--- a/tests/common-golang-external-secrets-naked.expected.yaml
+++ /dev/null
@@ -1,13143 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ACRAccessToken returns a Azure Container Registry token
-            that can be used for pushing/pulling images.
-            Note: by default it will return an ACR Refresh Token with full access
-            (depending on the identity).
-            This can be scoped down to the repository level using .spec.scope.
-            In case scope is defined it will return an ACR Access Token.
-
-
-            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                ACRAccessTokenSpec defines how to generate the access token
-                e.g. how to authenticate and which registry to use.
-                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: |-
-                            Configuration used to authenticate with Azure using static
-                            credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: |-
-                    EnvironmentType specifies the Azure cloud environment endpoints to use for
-                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: |-
-                    the domain name of the ACR registry
-                    e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: |-
-                    Define the scope for the access token, e.g. pull/push access for a repository.
-                    if not provided it will return a refresh token that has full scope.
-                    Note: you need to pin it down to the repository level, there is no wildcard available.
-
-
-                    examples:
-                    repository:my-repository:pull,push
-                    repository:my-repository:pull
-
-
-                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshTime
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretMetadata:
-                  description: The metadata of the external secrets to be created
-                  properties:
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    labels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: |-
-                              RemoteRef points to the remote secret and defines
-                              which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: |-
-                              SecretKey defines the key in which the controller stores
-                              the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: |-
-                              SourceRef allows you to override the source
-                              from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: |-
-                                  GeneratorRef points to a generator custom resource.
-
-
-                                  Deprecated: The generatorRef is not implemented in .data[].
-                                  this will be removed with v1.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: |-
-                        DataFrom is used to fetch all properties from a specific Provider data
-                        If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: |-
-                              Used to extract multiple key/value pairs from one secret
-                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: |-
-                              Used to find secrets based on tags or regular expressions
-                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: |-
-                              Used to rewrite secret Keys after getting them from the secret Provider
-                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: |-
-                                    Used to rewrite with regular expressions.
-                                    The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                                transform:
-                                  description: |-
-                                    Used to apply string transformation on the secrets.
-                                    The resulting key will be the output of the template applied by the operation.
-                                  properties:
-                                    template:
-                                      description: |-
-                                        Used to define the template to apply on the secret name.
-                                        `.value ` will specify the secret name in the template.
-                                      type: string
-                                  required:
-                                    - template
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: |-
-                              SourceRef points to a store or generator
-                              which contains secret values ready to use.
-                              Use this in combination with Extract or Find pull values out of
-                              a specific SecretStore.
-                              When sourceRef points to a generator Extract or Find is not supported.
-                              The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: |-
-                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                        May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: |-
-                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                            Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: |-
-                        ExternalSecretTarget defines the Kubernetes Secret to be created
-                        There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: |-
-                            CreationPolicy defines rules on how to create the resulting Secret
-                            Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: |-
-                            DeletionPolicy defines rules on how to delete the resulting Secret
-                            Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: |-
-                            Name defines the name of the Secret resource to be managed
-                            This field is immutable
-                            Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              description: |-
-                                EngineVersion specifies the template engine version
-                                that should be used to compile/execute the
-                                template specified in .data and .templateFrom[].
-                              enum:
-                                - v1
-                                - v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              enum:
-                                - Replace
-                                - Merge
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    enum:
-                                      - Data
-                                      - Annotations
-                                      - Labels
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                namespaceSelectors:
-                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-                  items:
-                    description: |-
-                      A label selector is a label query over a set of resources. The result of matchLabels and
-                      matchExpressions are ANDed. An empty label selector matches all objects. A null
-                      label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: |-
-                            A label selector requirement is a selector that contains values, a key, and an operator that
-                            relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: |-
-                                operator represents a key's relationship to a set of values.
-                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: |-
-                                values is an array of string values. If the operator is In or NotIn,
-                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                the values array must be empty. This array is replaced during a strategic
-                                merge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: |-
-                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  items:
-                    type: string
-                  type: array
-                refreshTime:
-                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                externalSecretName:
-                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-                  type: string
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-            authorization token.
-            The authorization token is valid for 12 hours.
-            The authorizationToken returned is a base64 encoded string that can be decoded
-            and used in a docker login command to authenticate to a registry.
-            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: |-
-                        AWSAuthSecretRef holds secret references for AWS credentials
-                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: |-
-                            The SessionToken used for authentication
-                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: |-
-                    You can assume a role before making calls to the
-                    desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        enum:
-                          - Default
-                          - Unicode
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Merge
-                        - None
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: |-
-                          RemoteRef points to the remote secret and defines
-                          which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: |-
-                          SecretKey defines the key in which the controller stores
-                          the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: |-
-                          SourceRef allows you to override the source
-                          from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: |-
-                              GeneratorRef points to a generator custom resource.
-
-
-                              Deprecated: The generatorRef is not implemented in .data[].
-                              this will be removed with v1.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: |-
-                          Used to extract multiple key/value pairs from one secret
-                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: |-
-                          Used to find secrets based on tags or regular expressions
-                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: |-
-                          Used to rewrite secret Keys after getting them from the secret Provider
-                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: |-
-                                Used to rewrite with regular expressions.
-                                The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                            transform:
-                              description: |-
-                                Used to apply string transformation on the secrets.
-                                The resulting key will be the output of the template applied by the operation.
-                              properties:
-                                template:
-                                  description: |-
-                                    Used to define the template to apply on the secret name.
-                                    `.value ` will specify the secret name in the template.
-                                  type: string
-                              required:
-                                - template
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: |-
-                          SourceRef points to a store or generator
-                          which contains secret values ready to use.
-                          Use this in combination with Extract or Find pull values out of
-                          a specific SecretStore.
-                          When sourceRef points to a generator Extract or Find is not supported.
-                          The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: |-
-                        DeletionPolicy defines rules on how to delete the resulting Secret
-                        Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          enum:
-                            - Replace
-                            - Merge
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Fake generator is used for testing. It lets you define
-            a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: |-
-                    Data defines the static data returned
-                    by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            GCRAccessToken generates an GCP access token
-            that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: githubaccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - githubaccesstoken
-    kind: GithubAccessToken
-    listKind: GithubAccessTokenList
-    plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
-    singular: githubaccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GithubAccessToken generates ghs_ accessToken
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                appID:
-                  type: string
-                auth:
-                  description: Auth configures how ESO authenticates with a Github instance.
-                  properties:
-                    privateKey:
-                      properties:
-                        secretRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                  required:
-                    - privateKey
-                  type: object
-                installID:
-                  type: string
-                url:
-                  description: URL configures the Github instance URL. Defaults to https://github.com/.
-                  type: string
-              required:
-                - appID
-                - auth
-                - installID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Password generates a random password based on the
-            configuration parameters in spec.
-            You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: |-
-                    Digits specifies the number of digits in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: |-
-                    Length of the password to be generated.
-                    Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: |-
-                    SymbolCharacters specifies the special characters that should be used
-                    in the generated password.
-                  type: string
-                symbols:
-                  description: |-
-                    Symbols specifies the number of symbol characters in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      conversionStrategy:
-                        default: None
-                        description: Used to define a conversion Strategy for the secret keys
-                        enum:
-                          - None
-                          - ReverseUnicode
-                        type: string
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                        type: object
-                      metadata:
-                        description: |-
-                          Metadata is metadata attached to the secret.
-                          The structure of metadata is provider specific, please look it up in the provider documentation.
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  enum:
-                    - Delete
-                    - None
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-                template:
-                  description: Template defines a blueprint for the created Secret resource.
-                  properties:
-                    data:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    engineVersion:
-                      default: v2
-                      description: |-
-                        EngineVersion specifies the template engine version
-                        that should be used to compile/execute the
-                        template specified in .data and .templateFrom[].
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                    mergePolicy:
-                      default: Replace
-                      enum:
-                        - Replace
-                        - Merge
-                      type: string
-                    metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                      properties:
-                        annotations:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        labels:
-                          additionalProperties:
-                            type: string
-                          type: object
-                      type: object
-                    templateFrom:
-                      items:
-                        properties:
-                          configMap:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          literal:
-                            type: string
-                          secret:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          target:
-                            default: Data
-                            enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                            type: string
-                        type: object
-                      type: array
-                    type:
-                      type: string
-                  type: object
-                updatePolicy:
-                  default: Replace
-                  description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
-                  enum:
-                    - Replace
-                    - IfNotExists
-                  type: string
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        conversionStrategy:
-                          default: None
-                          description: Used to define a conversion Strategy for the secret keys
-                          enum:
-                            - None
-                            - ReverseUnicode
-                          type: string
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                          type: object
-                        metadata:
-                          description: |-
-                            Metadata is metadata attached to the secret.
-                            The structure of metadata is provider specific, please look it up in the provider documentation.
-                          x-kubernetes-preserve-unknown-fields: true
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: |-
-                    Synced PushSecrets, including secrets that already exist in provider.
-                    Matches secret stores to PushSecretData that was stored to that secret store.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: |-
-                                Path where the App Role authentication backend is mounted
-                                in Vault, e.g: "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role ID used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: |-
-                            Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                            Cert authentication method
-                          properties:
-                            clientCert:
-                              description: |-
-                                ClientCert is a certificate to authenticate using the Cert Vault
-                                authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing client private key to
-                                authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: |-
-                            Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                            AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: |-
-                            Jwt authenticates with Vault by passing role and JWT token using the
-                            JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: |-
-                                Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Optional audiences field that will be used to request a temporary Kubernetes service
-                                    account token for the service account referenced by `serviceAccountRef`.
-                                    Defaults to a single audience `vault` it not specified.
-                                    Deprecated: use serviceAccountRef.Audiences instead
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: |-
-                                    Optional expiration time in seconds that will be used to request a temporary
-                                    Kubernetes service account token for the service account referenced by
-                                    `serviceAccountRef`.
-                                    Deprecated: this will be removed in the future.
-                                    Defaults to 10 minutes.
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: |-
-                                Path where the JWT authentication backend is mounted
-                                in Vault, e.g: "jwt"
-                              type: string
-                            role:
-                              description: |-
-                                Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                authentication method
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: |-
-                                Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                "kubernetes"
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. If a name is specified without a key,
-                                `token` is the default. If one is not specified, the one bound to
-                                the controller will be used.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: |-
-                                Optional service account field containing the name of a kubernetes ServiceAccount.
-                                If the service account is specified, the service account secret token JWT will be used
-                                for authenticating with Vault. If the service account selector is not supplied,
-                                the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: |-
-                            Ldap authenticates with Vault by passing username/password pair using
-                            the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: |-
-                                Path where the LDAP authentication backend is mounted
-                                in Vault, e.g: "ldap"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the LDAP
-                                user used to authenticate with Vault using the LDAP authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                            Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                            This will default to Vault.Namespace field if set, or empty otherwise
-                          type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        userPass:
-                          description: UserPass authenticates with Vault by passing username/password pair
-                          properties:
-                            path:
-                              default: user
-                              description: |-
-                                Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the
-                                user used to authenticate with Vault using the UserPass authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                      type: object
-                    caBundle:
-                      description: |-
-                        PEM encoded CA bundle used to validate Vault server certificate. Only used
-                        if the Server URL is using HTTPS protocol. This parameter is ignored for
-                        plain HTTP protocol connection. If not set the system root certificates
-                        are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: |-
-                            The namespace the Provider type is in.
-                            Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: |-
-                        ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                        leader instead of simply retrying within a loop. This can increase performance if
-                        the option is enabled serverside.
-                        https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    headers:
-                      additionalProperties:
-                        type: string
-                      description: Headers to be added in Vault request
-                      type: object
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                        Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault KV backend endpoint, e.g:
-                        "secret". The v2 KV secret engine version specific "/data" path suffix
-                        for fetching secrets from Vault is optional and will be appended
-                        if not present in specified path.
-                      type: string
-                    readYourWrites:
-                      description: |-
-                        ReadYourWrites ensures isolated read-after-write semantics by
-                        providing discovered cluster replication states in each request.
-                        More information about eventual consistency in Vault can be found here
-                        https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    tls:
-                      description: |-
-                        The configuration used for client side related TLS communication, when the Vault server
-                        requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                        This parameter is ignored for plain HTTP protocol connection.
-                        It's worth noting this configuration is different from the "TLS certificates auth method",
-                        which is available under the `auth.cert` section.
-                      properties:
-                        certSecretRef:
-                          description: |-
-                            CertSecretRef is a certificate added to the transport layer
-                            when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        keySecretRef:
-                          description: |-
-                            KeySecretRef to a key in a Secret resource containing client private key
-                            added to the transport layer when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    version:
-                      default: v2
-                      description: |-
-                        Version is the Vault KV secret engine version. This can be either "v1" or
-                        "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: |-
-                    Result type defines which data is returned from the generator.
-                    By default it is the "data" section of the Vault API response.
-                    When using e.g. /auth/token/create the "data" section is empty but
-                    the "auth" section contains the generated token.
-                    Please refer to the vault docs regarding the result data structure.
-                  enum:
-                    - Data
-                    - Auth
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: webhooks.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - webhook
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    shortNames:
-      - webhookl
-    singular: webhook
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Webhook connects to a third party API server to handle the secrets generation
-            configuration parameters in spec.
-            You can specify the server, the token, and additional body parameters.
-            See documentation for the full API specification for requests and responses.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
-              properties:
-                body:
-                  description: Body
-                  type: string
-                caBundle:
-                  description: |-
-                    PEM encoded CA bundle used to validate webhook server certificate. Only used
-                    if the Server URL is using HTTPS protocol. This parameter is ignored for
-                    plain HTTP protocol connection. If not set the system root certificates
-                    are used to validate the TLS connection.
-                  format: byte
-                  type: string
-                caProvider:
-                  description: The provider for the CA bundle to use to validate webhook server certificate.
-                  properties:
-                    key:
-                      description: The key the value inside of the provider type to use, only used with "Secret" type
-                      type: string
-                    name:
-                      description: The name of the object located at the provider type.
-                      type: string
-                    namespace:
-                      description: The namespace the Provider type is in.
-                      type: string
-                    type:
-                      description: The type of provider to use such as "Secret", or "ConfigMap".
-                      enum:
-                        - Secret
-                        - ConfigMap
-                      type: string
-                  required:
-                    - name
-                    - type
-                  type: object
-                headers:
-                  additionalProperties:
-                    type: string
-                  description: Headers
-                  type: object
-                method:
-                  description: Webhook Method
-                  type: string
-                result:
-                  description: Result formatting
-                  properties:
-                    jsonPath:
-                      description: Json path of return value
-                      type: string
-                  type: object
-                secrets:
-                  description: |-
-                    Secrets to fill in templates
-                    These secrets will be passed to the templating function as key value pairs under the given name
-                  items:
-                    properties:
-                      name:
-                        description: Name of this secret in templates
-                        type: string
-                      secretRef:
-                        description: Secret ref to fill in credentials
-                        properties:
-                          key:
-                            description: The key where the token is found.
-                            type: string
-                          name:
-                            description: The name of the Secret resource being referred to.
-                            type: string
-                        type: object
-                    required:
-                      - name
-                      - secretRef
-                    type: object
-                  type: array
-                timeout:
-                  description: Timeout
-                  type: string
-                url:
-                  description: Webhook url to call
-                  type: string
-              required:
-                - result
-                - url
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-controller
-subjects:
-  - name: common-golang-external-secrets
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: common-golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: common-golang-external-secrets
-    namespace: default
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=common-golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=common-golang-external-secrets-webhook
-          - --secret-namespace=default
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          - --enable-partial-cache=true
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: common-golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          - --metrics-addr=:8080
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-      dnsPolicy: ClusterFirst
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=common-golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: common-golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml
deleted file mode 100644
index 056054ba..00000000
--- a/tests/common-golang-external-secrets-normal.expected.yaml
+++ /dev/null
@@ -1,13143 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ACRAccessToken returns a Azure Container Registry token
-            that can be used for pushing/pulling images.
-            Note: by default it will return an ACR Refresh Token with full access
-            (depending on the identity).
-            This can be scoped down to the repository level using .spec.scope.
-            In case scope is defined it will return an ACR Access Token.
-
-
-            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                ACRAccessTokenSpec defines how to generate the access token
-                e.g. how to authenticate and which registry to use.
-                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: |-
-                            Configuration used to authenticate with Azure using static
-                            credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: |-
-                    EnvironmentType specifies the Azure cloud environment endpoints to use for
-                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: |-
-                    the domain name of the ACR registry
-                    e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: |-
-                    Define the scope for the access token, e.g. pull/push access for a repository.
-                    if not provided it will return a refresh token that has full scope.
-                    Note: you need to pin it down to the repository level, there is no wildcard available.
-
-
-                    examples:
-                    repository:my-repository:pull,push
-                    repository:my-repository:pull
-
-
-                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshTime
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretMetadata:
-                  description: The metadata of the external secrets to be created
-                  properties:
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    labels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: |-
-                              RemoteRef points to the remote secret and defines
-                              which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: |-
-                              SecretKey defines the key in which the controller stores
-                              the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: |-
-                              SourceRef allows you to override the source
-                              from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: |-
-                                  GeneratorRef points to a generator custom resource.
-
-
-                                  Deprecated: The generatorRef is not implemented in .data[].
-                                  this will be removed with v1.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: |-
-                        DataFrom is used to fetch all properties from a specific Provider data
-                        If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: |-
-                              Used to extract multiple key/value pairs from one secret
-                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                default: None
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                enum:
-                                  - None
-                                  - Fetch
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: |-
-                              Used to find secrets based on tags or regular expressions
-                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                enum:
-                                  - Default
-                                  - Unicode
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                enum:
-                                  - Auto
-                                  - Base64
-                                  - Base64URL
-                                  - None
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: |-
-                              Used to rewrite secret Keys after getting them from the secret Provider
-                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: |-
-                                    Used to rewrite with regular expressions.
-                                    The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                                transform:
-                                  description: |-
-                                    Used to apply string transformation on the secrets.
-                                    The resulting key will be the output of the template applied by the operation.
-                                  properties:
-                                    template:
-                                      description: |-
-                                        Used to define the template to apply on the secret name.
-                                        `.value ` will specify the secret name in the template.
-                                      type: string
-                                  required:
-                                    - template
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: |-
-                              SourceRef points to a store or generator
-                              which contains secret values ready to use.
-                              Use this in combination with Extract or Find pull values out of
-                              a specific SecretStore.
-                              When sourceRef points to a generator Extract or Find is not supported.
-                              The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource.
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: |-
-                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                      Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: |-
-                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                        May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: |-
-                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                            Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: |-
-                        ExternalSecretTarget defines the Kubernetes Secret to be created
-                        There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: |-
-                            CreationPolicy defines rules on how to create the resulting Secret
-                            Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: |-
-                            DeletionPolicy defines rules on how to delete the resulting Secret
-                            Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: |-
-                            Name defines the name of the Secret resource to be managed
-                            This field is immutable
-                            Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              description: |-
-                                EngineVersion specifies the template engine version
-                                that should be used to compile/execute the
-                                template specified in .data and .templateFrom[].
-                              enum:
-                                - v1
-                                - v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              enum:
-                                - Replace
-                                - Merge
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              enum:
-                                                - Values
-                                                - KeysAndValues
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    enum:
-                                      - Data
-                                      - Annotations
-                                      - Labels
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                namespaceSelectors:
-                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-                  items:
-                    description: |-
-                      A label selector is a label query over a set of resources. The result of matchLabels and
-                      matchExpressions are ANDed. An empty label selector matches all objects. A null
-                      label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: |-
-                            A label selector requirement is a selector that contains values, a key, and an operator that
-                            relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: |-
-                                operator represents a key's relationship to a set of values.
-                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: |-
-                                values is an array of string values. If the operator is In or NotIn,
-                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                the values array must be empty. This array is replaced during a strategic
-                                merge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: |-
-                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  items:
-                    type: string
-                  type: array
-                refreshTime:
-                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                externalSecretName:
-                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-                  type: string
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-            authorization token.
-            The authorization token is valid for 12 hours.
-            The authorizationToken returned is a base64 encoded string that can be decoded
-            and used in a docker login command to authenticate to a registry.
-            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: |-
-                        AWSAuthSecretRef holds secret references for AWS credentials
-                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: |-
-                            The SessionToken used for authentication
-                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: |-
-                    You can assume a role before making calls to the
-                    desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        enum:
-                          - Default
-                          - Unicode
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Merge
-                        - None
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: |-
-                          RemoteRef points to the remote secret and defines
-                          which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: |-
-                          SecretKey defines the key in which the controller stores
-                          the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: |-
-                          SourceRef allows you to override the source
-                          from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: |-
-                              GeneratorRef points to a generator custom resource.
-
-
-                              Deprecated: The generatorRef is not implemented in .data[].
-                              this will be removed with v1.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: |-
-                    DataFrom is used to fetch all properties from a specific Provider data
-                    If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: |-
-                          Used to extract multiple key/value pairs from one secret
-                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            default: None
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            enum:
-                              - None
-                              - Fetch
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: |-
-                          Used to find secrets based on tags or regular expressions
-                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            enum:
-                              - Default
-                              - Unicode
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: |-
-                          Used to rewrite secret Keys after getting them from the secret Provider
-                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: |-
-                                Used to rewrite with regular expressions.
-                                The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                            transform:
-                              description: |-
-                                Used to apply string transformation on the secrets.
-                                The resulting key will be the output of the template applied by the operation.
-                              properties:
-                                template:
-                                  description: |-
-                                    Used to define the template to apply on the secret name.
-                                    `.value ` will specify the secret name in the template.
-                                  type: string
-                              required:
-                                - template
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: |-
-                          SourceRef points to a store or generator
-                          which contains secret values ready to use.
-                          Use this in combination with Extract or Find pull values out of
-                          a specific SecretStore.
-                          When sourceRef points to a generator Extract or Find is not supported.
-                          The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource.
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: |-
-                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                  Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: |-
-                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                    May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: |-
-                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                        Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: |-
-                    ExternalSecretTarget defines the Kubernetes Secret to be created
-                    There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: |-
-                        CreationPolicy defines rules on how to create the resulting Secret
-                        Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: |-
-                        DeletionPolicy defines rules on how to delete the resulting Secret
-                        Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: |-
-                        Name defines the name of the Secret resource to be managed
-                        This field is immutable
-                        Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          description: |-
-                            EngineVersion specifies the template engine version
-                            that should be used to compile/execute the
-                            template specified in .data and .templateFrom[].
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          enum:
-                            - Replace
-                            - Merge
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          enum:
-                                            - Values
-                                            - KeysAndValues
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      default: ""
-                      description: |-
-                        Name of the referent.
-                        This field is effectively required, but due to backwards compatibility is
-                        allowed to be empty. Instances of this type with an empty value here are
-                        almost certainly wrong.
-                        TODO: Add other useful fields. apiVersion, kind, uid?
-                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Fake generator is used for testing. It lets you define
-            a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: |-
-                    Data defines the static data returned
-                    by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            GCRAccessToken generates an GCP access token
-            that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: githubaccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - githubaccesstoken
-    kind: GithubAccessToken
-    listKind: GithubAccessTokenList
-    plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
-    singular: githubaccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GithubAccessToken generates ghs_ accessToken
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                appID:
-                  type: string
-                auth:
-                  description: Auth configures how ESO authenticates with a Github instance.
-                  properties:
-                    privateKey:
-                      properties:
-                        secretRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                  required:
-                    - privateKey
-                  type: object
-                installID:
-                  type: string
-                url:
-                  description: URL configures the Github instance URL. Defaults to https://github.com/.
-                  type: string
-              required:
-                - appID
-                - auth
-                - installID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Password generates a random password based on the
-            configuration parameters in spec.
-            You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: |-
-                    Digits specifies the number of digits in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: |-
-                    Length of the password to be generated.
-                    Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: |-
-                    SymbolCharacters specifies the special characters that should be used
-                    in the generated password.
-                  type: string
-                symbols:
-                  description: |-
-                    Symbols specifies the number of symbol characters in the generated
-                    password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      conversionStrategy:
-                        default: None
-                        description: Used to define a conversion Strategy for the secret keys
-                        enum:
-                          - None
-                          - ReverseUnicode
-                        type: string
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                        type: object
-                      metadata:
-                        description: |-
-                          Metadata is metadata attached to the secret.
-                          The structure of metadata is provider specific, please look it up in the provider documentation.
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  enum:
-                    - Delete
-                    - None
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-                template:
-                  description: Template defines a blueprint for the created Secret resource.
-                  properties:
-                    data:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    engineVersion:
-                      default: v2
-                      description: |-
-                        EngineVersion specifies the template engine version
-                        that should be used to compile/execute the
-                        template specified in .data and .templateFrom[].
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                    mergePolicy:
-                      default: Replace
-                      enum:
-                        - Replace
-                        - Merge
-                      type: string
-                    metadata:
-                      description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                      properties:
-                        annotations:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        labels:
-                          additionalProperties:
-                            type: string
-                          type: object
-                      type: object
-                    templateFrom:
-                      items:
-                        properties:
-                          configMap:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          literal:
-                            type: string
-                          secret:
-                            properties:
-                              items:
-                                items:
-                                  properties:
-                                    key:
-                                      type: string
-                                    templateAs:
-                                      default: Values
-                                      enum:
-                                        - Values
-                                        - KeysAndValues
-                                      type: string
-                                  required:
-                                    - key
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                            required:
-                              - items
-                              - name
-                            type: object
-                          target:
-                            default: Data
-                            enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                            type: string
-                        type: object
-                      type: array
-                    type:
-                      type: string
-                  type: object
-                updatePolicy:
-                  default: Replace
-                  description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
-                  enum:
-                    - Replace
-                    - IfNotExists
-                  type: string
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: |-
-                    refreshTime is the time and date the external secret was fetched and
-                    the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        conversionStrategy:
-                          default: None
-                          description: Used to define a conversion Strategy for the secret keys
-                          enum:
-                            - None
-                            - ReverseUnicode
-                          type: string
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                          type: object
-                        metadata:
-                          description: |-
-                            Metadata is metadata attached to the secret.
-                            The structure of metadata is provider specific, please look it up in the provider documentation.
-                          x-kubernetes-preserve-unknown-fields: true
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: |-
-                    Synced PushSecrets, including secrets that already exist in provider.
-                    Matches secret stores to PushSecretData that was stored to that secret store.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, instance principal is used. Optionally, the authenticating principal type
-                            and/or user data may be supplied for the use of workload identity and user principal.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: |-
-                      ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-                      for a ClusterSecretStore instance.
-                    properties:
-                      namespaceRegexes:
-                        description: Choose namespaces by using regex matching
-                        items:
-                          type: string
-                        type: array
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: |-
-                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: |-
-                                    operator represents a key's relationship to a set of values.
-                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: |-
-                                    values is an array of string values. If the operator is In or NotIn,
-                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                    the values array must be empty. This array is replaced during a strategic
-                                    merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                                  x-kubernetes-list-type: atomic
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                            x-kubernetes-list-type: atomic
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: |-
-                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters ES based on this property
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: |-
-                                Kubernetes authenticates with Akeyless by passing the ServiceAccount
-                                token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Akeyless. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Akeyless. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a Secret that contains the details
-                                to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
-                            if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: |-
-                            Auth defines the information necessary to authenticate against AWS
-                            if not set aws sdk will infer credentials from your environment
-                            see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: |-
-                                AWSAuthSecretRef holds secret references for AWS credentials
-                                both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        prefix:
-                          description: Prefix adds a prefix to all retrieved values.
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the provider will assume
-                          type: string
-                        secretsManager:
-                          description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-                          properties:
-                            forceDeleteWithoutRecovery:
-                              description: |-
-                                Specifies whether to delete the secret without any recovery window. You
-                                can't use both this parameter and RecoveryWindowInDays in the same call.
-                                If you don't use either, then by default Secrets Manager uses a 30 day
-                                recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-                              type: boolean
-                            recoveryWindowInDays:
-                              description: |-
-                                The number of days from 7 to 30 that Secrets Manager waits before
-                                permanently deleting the secret. You can't use both this parameter and
-                                ForceDeleteWithoutRecovery in the same call. If you don't use either,
-                                then by default Secrets Manager uses a 30 day recovery window.
-                                see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                              format: int64
-                              type: integer
-                          type: object
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                        sessionTags:
-                          description: AWS STS assume role session tags
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                            required:
-                              - key
-                              - value
-                            type: object
-                          type: array
-                        transitiveTagKeys:
-                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-                          items:
-                            type: string
-                          type: array
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          properties:
-                            clientCertificate:
-                              description: The Azure ClientCertificate of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientId:
-                              description: The Azure clientId of the service principle or managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            tenantId:
-                              description: The Azure tenantId of the managed identity used for authentication.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: |-
-                            Auth type defines how to authenticate to the keyvault service.
-                            Valid values are:
-                            - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
-                            - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: |-
-                            EnvironmentType specifies the Azure cloud environment endpoints to use for
-                            connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-                            The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-                            PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    bitwardensecretsmanager:
-                      description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-                      properties:
-                        apiURL:
-                          type: string
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-                            Make sure that the token being used has permissions on the given secret.
-                          properties:
-                            secretRef:
-                              description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-                              properties:
-                                credentials:
-                                  description: AccessToken used for the bitwarden instance.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - credentials
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        bitwardenServerSDKURL:
-                          type: string
-                        caBundle:
-                          description: |-
-                            Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-                            can be performed.
-                          type: string
-                        identityURL:
-                          type: string
-                        organizationID:
-                          description: OrganizationID determines which organization this secret store manages.
-                          type: string
-                        projectID:
-                          description: ProjectID determines which project this secret store manages.
-                          type: string
-                      required:
-                        - auth
-                        - caBundle
-                        - organizationID
-                        - projectID
-                      type: object
-                    chef:
-                      description: Chef configures this store to sync secrets with chef server
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against chef Server
-                          properties:
-                            secretRef:
-                              description: ChefAuthSecretRef holds secret references for chef server login credentials.
-                              properties:
-                                privateKeySecretRef:
-                                  description: SecretKey is the Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - privateKeySecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serverUrl:
-                          description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-                          type: string
-                        username:
-                          description: UserName should be the user ID on the chef server
-                          type: string
-                      required:
-                        - auth
-                        - serverUrl
-                        - username
-                      type: object
-                    conjur:
-                      description: Conjur configures this store to sync secrets using conjur provider
-                      properties:
-                        auth:
-                          properties:
-                            apikey:
-                              properties:
-                                account:
-                                  type: string
-                                apiKeyRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                userRef:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - account
-                                - apiKeyRef
-                                - userRef
-                              type: object
-                            jwt:
-                              properties:
-                                account:
-                                  type: string
-                                hostId:
-                                  description: |-
-                                    Optional HostID for JWT authentication. This may be used depending
-                                    on how the Conjur JWT authenticator policy is configured.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Conjur using the JWT authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                                serviceID:
-                                  description: The conjur authn jwt webservice id
-                                  type: string
-                              required:
-                                - account
-                                - serviceID
-                              type: object
-                          type: object
-                        caBundle:
-                          type: string
-                        caProvider:
-                          description: |-
-                            Used to provide custom certificate authority (CA) certificates
-                            for a secret store. The CAProvider points to a Secret or ConfigMap resource
-                            that contains a PEM-encoded certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        url:
-                          type: string
-                      required:
-                        - auth
-                        - url
-                      type: object
-                    delinea:
-                      description: |-
-                        Delinea DevOps Secrets Vault
-                        https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-                      properties:
-                        clientId:
-                          description: ClientID is the non-secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        clientSecret:
-                          description: ClientSecret is the secret part of the credential.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        tenant:
-                          description: Tenant is the chosen hostname / site name.
-                          type: string
-                        tld:
-                          description: |-
-                            TLD is based on the server location that was chosen during provisioning.
-                            If unset, defaults to "com".
-                          type: string
-                        urlTemplate:
-                          description: |-
-                            URLTemplate
-                            If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-                          type: string
-                      required:
-                        - clientId
-                        - clientSecret
-                        - tenant
-                      type: object
-                    device42:
-                      description: Device42 configures this store to sync secrets using the Device42 provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Device42 instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        host:
-                          description: URL configures the Device42 instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: |-
-                                    The DopplerToken is used for authentication.
-                                    See https://docs.doppler.com/reference/api#authentication for auth token types.
-                                    The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                            - lower-kebab
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    fortanix:
-                      description: Fortanix configures this store to sync secrets using the Fortanix provider
-                      properties:
-                        apiKey:
-                          description: APIKey is the API token to access SDKMS Applications.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the SDKMS API Key.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-                          type: string
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        location:
-                          description: Location optionally defines a location for a secret
-                          type: string
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    infisical:
-                      description: Infisical configures this store to sync secrets using the Infisical provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Infisical API
-                          properties:
-                            universalAuthCredentials:
-                              properties:
-                                clientId:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientSecret:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - clientId
-                                - clientSecret
-                              type: object
-                          type: object
-                        hostAPI:
-                          default: https://app.infisical.com/api
-                          type: string
-                        secretsScope:
-                          properties:
-                            environmentSlug:
-                              type: string
-                            projectSlug:
-                              type: string
-                            secretsPath:
-                              default: /
-                              type: string
-                          required:
-                            - environmentSlug
-                            - projectSlug
-                          type: object
-                      required:
-                        - auth
-                        - secretsScope
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: |-
-                            A reference to a specific 'key' within a Secret resource,
-                            In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: |-
-                                    A reference to a specific 'key' within a Secret resource,
-                                    In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        authRef:
-                          description: A reference to a secret that contains the auth information.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    The namespace the Provider type is in.
-                                    Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      type: object
-                    onboardbase:
-                      description: Onboardbase configures this store to sync secrets using the Onboardbase provider
-                      properties:
-                        apiHost:
-                          default: https://public.onboardbase.com/api/v1/
-                          description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-                          type: string
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Onboardbase API
-                          properties:
-                            apiKeyRef:
-                              description: |-
-                                OnboardbaseAPIKey is the APIKey generated by an admin account.
-                                It is used to recognize and authorize access to a project and environment within onboardbase
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            passcodeRef:
-                              description: OnboardbasePasscode is the passcode attached to the API Key
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - apiKeyRef
-                            - passcodeRef
-                          type: object
-                        environment:
-                          default: development
-                          description: Environment is the name of an environmnent within a project to pull the secrets from
-                          type: string
-                        project:
-                          default: development
-                          description: Project is an onboardbase project that the secrets should be pulled from
-                          type: string
-                      required:
-                        - apiHost
-                        - auth
-                        - environment
-                        - project
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: |-
-                            Auth configures how secret-manager authenticates with the Oracle Vault.
-                            If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        compartment:
-                          description: |-
-                            Compartment is the vault compartment OCID.
-                            Required for PushSecret
-                          type: string
-                        encryptionKey:
-                          description: |-
-                            EncryptionKey is the OCID of the encryption key within the vault.
-                            Required for PushSecret
-                          type: string
-                        principalType:
-                          description: |-
-                            The type of principal to use for authentication. If left blank, the Auth struct will
-                            determine the principal type. This optional field must be specified if using
-                            workload identity.
-                          enum:
-                            - ""
-                            - UserPrincipal
-                            - InstancePrincipal
-                            - Workload
-                          type: string
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        serviceAccountRef:
-                          description: |-
-                            ServiceAccountRef specified the service account
-                            that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: |-
-                                Audience specifies the `aud` claim for the service account token
-                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    passbolt:
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Passbolt Server
-                          properties:
-                            passwordSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            privateKeySecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - passwordSecretRef
-                            - privateKeySecretRef
-                          type: object
-                        host:
-                          description: Host defines the Passbolt Server to connect to
-                          type: string
-                      required:
-                        - auth
-                        - host
-                      type: object
-                    passworddepot:
-                      description: Configures a store to sync secrets with a Password Depot instance.
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Password Depot instance.
-                          properties:
-                            secretRef:
-                              properties:
-                                credentials:
-                                  description: Username / Password is used for authentication.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        database:
-                          description: Database to use as source
-                          type: string
-                        host:
-                          description: URL configures the Password Depot instance URL.
-                          type: string
-                      required:
-                        - auth
-                        - database
-                        - host
-                      type: object
-                    pulumi:
-                      description: Pulumi configures this store to sync secrets using the Pulumi provider
-                      properties:
-                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-                          properties:
-                            secretRef:
-                              description: SecretRef is a reference to a secret containing the Pulumi API token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        apiUrl:
-                          default: https://api.pulumi.com/api/preview
-                          description: APIURL is the URL of the Pulumi API.
-                          type: string
-                        environment:
-                          description: |-
-                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-                            dynamically retrieved values from supported providers including all major clouds,
-                            and other Pulumi ESC environments.
-                            To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-                          type: string
-                        organization:
-                          description: |-
-                            Organization are a space to collaborate on shared projects and stacks.
-                            To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-                          type: string
-                      required:
-                        - accessToken
-                        - environment
-                        - organization
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    secretserver:
-                      description: |-
-                        SecretServer configures this store to sync secrets using SecretServer provider
-                        https://docs.delinea.com/online-help/secret-server/start.htm
-                      properties:
-                        password:
-                          description: Password is the secret server account password.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        serverURL:
-                          description: |-
-                            ServerURL
-                            URL to your secret server installation
-                          type: string
-                        username:
-                          description: Username is the secret server account username.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - password
-                        - serverURL
-                        - username
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: |-
-                                AppRole authenticates with Vault using the App Role auth mechanism,
-                                with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: |-
-                                    Path where the App Role authentication backend is mounted
-                                    in Vault, e.g: "approle"
-                                  type: string
-                                roleId:
-                                  description: |-
-                                    RoleID configured in the App Role authentication backend when setting
-                                    up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role ID used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    Reference to a key in a Secret that contains the App Role secret used
-                                    to authenticate with Vault.
-                                    The `key` field must be specified and denotes which entry within the Secret
-                                    resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: |-
-                                Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                                Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: |-
-                                    ClientCert is a certificate to authenticate using the Cert Vault
-                                    authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing client private key to
-                                    authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: |-
-                                Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                                AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: |-
-                                        The SessionToken used for authentication
-                                        This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                        see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                      properties:
-                                        key:
-                                          description: |-
-                                            The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                            defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: |-
-                                Jwt authenticates with Vault by passing role and JWT token using the
-                                JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: |-
-                                    Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                    a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Optional audiences field that will be used to request a temporary Kubernetes service
-                                        account token for the service account referenced by `serviceAccountRef`.
-                                        Defaults to a single audience `vault` it not specified.
-                                        Deprecated: use serviceAccountRef.Audiences instead
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: |-
-                                        Optional expiration time in seconds that will be used to request a temporary
-                                        Kubernetes service account token for the service account referenced by
-                                        `serviceAccountRef`.
-                                        Deprecated: this will be removed in the future.
-                                        Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            Audience specifies the `aud` claim for the service account token
-                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                            then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                            to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: |-
-                                    Path where the JWT authentication backend is mounted
-                                    in Vault, e.g: "jwt"
-                                  type: string
-                                role:
-                                  description: |-
-                                    Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                    authentication method
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                    authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: |-
-                                Kubernetes authenticates with Vault by passing the ServiceAccount
-                                token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: |-
-                                    Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                    "kubernetes"
-                                  type: string
-                                role:
-                                  description: |-
-                                    A required field containing the Vault Role to assume. A Role binds a
-                                    Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                    for authenticating with Vault. If a name is specified without a key,
-                                    `token` is the default. If one is not specified, the one bound to
-                                    the controller will be used.
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: |-
-                                    Optional service account field containing the name of a kubernetes ServiceAccount.
-                                    If the service account is specified, the service account secret token JWT will be used
-                                    for authenticating with Vault. If the service account selector is not supplied,
-                                    the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: |-
-                                Ldap authenticates with Vault by passing username/password pair using
-                                the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: |-
-                                    Path where the LDAP authentication backend is mounted
-                                    in Vault, e.g: "ldap"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the LDAP
-                                    user used to authenticate with Vault using the LDAP authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a LDAP user name used to authenticate using the LDAP Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            namespace:
-                              description: |-
-                                Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                                Namespaces is a set of features within Vault Enterprise that allows
-                                Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                                More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                                This will default to Vault.Namespace field if set, or empty otherwise
-                              type: string
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            userPass:
-                              description: UserPass authenticates with Vault by passing username/password pair
-                              properties:
-                                path:
-                                  default: user
-                                  description: |-
-                                    Path where the UserPassword authentication backend is mounted
-                                    in Vault, e.g: "user"
-                                  type: string
-                                secretRef:
-                                  description: |-
-                                    SecretRef to a key in a Secret resource containing password for the
-                                    user used to authenticate with Vault using the UserPass authentication
-                                    method
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: |-
-                                    Username is a user name used to authenticate using the UserPass Vault
-                                    authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                          type: object
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate Vault server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: |-
-                                The namespace the Provider type is in.
-                                Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: |-
-                            ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                            leader instead of simply retrying within a loop. This can increase performance if
-                            the option is enabled serverside.
-                            https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers to be added in Vault request
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                          type: string
-                        path:
-                          description: |-
-                            Path is the mount path of the Vault KV backend endpoint, e.g:
-                            "secret". The v2 KV secret engine version specific "/data" path suffix
-                            for fetching secrets from Vault is optional and will be appended
-                            if not present in specified path.
-                          type: string
-                        readYourWrites:
-                          description: |-
-                            ReadYourWrites ensures isolated read-after-write semantics by
-                            providing discovered cluster replication states in each request.
-                            More information about eventual consistency in Vault can be found here
-                            https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        tls:
-                          description: |-
-                            The configuration used for client side related TLS communication, when the Vault server
-                            requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                            This parameter is ignored for plain HTTP protocol connection.
-                            It's worth noting this configuration is different from the "TLS certificates auth method",
-                            which is available under the `auth.cert` section.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                CertSecretRef is a certificate added to the transport layer
-                                when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            keySecretRef:
-                              description: |-
-                                KeySecretRef to a key in a Secret resource containing client private key
-                                added to the transport layer when communicating with the Vault server.
-                                If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        version:
-                          default: v2
-                          description: |-
-                            Version is the Vault KV secret engine version. This can be either "v1" or
-                            "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: |-
-                            PEM encoded CA bundle used to validate webhook server certificate. Only used
-                            if the Server URL is using HTTPS protocol. This parameter is ignored for
-                            plain HTTP protocol connection. If not set the system root certificates
-                            are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: |-
-                            Secrets to fill in templates
-                            These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: |-
-                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                      defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: |-
-                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                      to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource,
-                                In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: |-
-                    Used to select the correct ESO controller (think: ingress.ingressClassName)
-                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: |-
-                                Path where the App Role authentication backend is mounted
-                                in Vault, e.g: "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role ID used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: |-
-                            Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
-                            Cert authentication method
-                          properties:
-                            clientCert:
-                              description: |-
-                                ClientCert is a certificate to authenticate using the Cert Vault
-                                authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing client private key to
-                                authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: |-
-                            Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-                            AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: |-
-                                    The SessionToken used for authentication
-                                    This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-                                    see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-                                  properties:
-                                    key:
-                                      description: |-
-                                        The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                        defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: |-
-                            Jwt authenticates with Vault by passing role and JWT token using the
-                            JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: |-
-                                Optional ServiceAccountToken specifies the Kubernetes service account for which to request
-                                a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Optional audiences field that will be used to request a temporary Kubernetes service
-                                    account token for the service account referenced by `serviceAccountRef`.
-                                    Defaults to a single audience `vault` it not specified.
-                                    Deprecated: use serviceAccountRef.Audiences instead
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: |-
-                                    Optional expiration time in seconds that will be used to request a temporary
-                                    Kubernetes service account token for the service account referenced by
-                                    `serviceAccountRef`.
-                                    Deprecated: this will be removed in the future.
-                                    Defaults to 10 minutes.
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: |-
-                                        Audience specifies the `aud` claim for the service account token
-                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                        then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: |-
-                                        Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                        to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: |-
-                                Path where the JWT authentication backend is mounted
-                                in Vault, e.g: "jwt"
-                              type: string
-                            role:
-                              description: |-
-                                Role is a JWT role to authenticate using the JWT/OIDC Vault
-                                authentication method
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-                                authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: |-
-                                Path where the Kubernetes authentication backend is mounted in Vault, e.g:
-                                "kubernetes"
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Optional secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. If a name is specified without a key,
-                                `token` is the default. If one is not specified, the one bound to
-                                the controller will be used.
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: |-
-                                Optional service account field containing the name of a kubernetes ServiceAccount.
-                                If the service account is specified, the service account secret token JWT will be used
-                                for authenticating with Vault. If the service account selector is not supplied,
-                                the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: |-
-                                    Audience specifies the `aud` claim for the service account token
-                                    If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
-                                    then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: |-
-                            Ldap authenticates with Vault by passing username/password pair using
-                            the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: |-
-                                Path where the LDAP authentication backend is mounted
-                                in Vault, e.g: "ldap"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the LDAP
-                                user used to authenticate with Vault using the LDAP authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a LDAP user name used to authenticate using the LDAP Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        namespace:
-                          description: |-
-                            Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-                            Namespaces is a set of features within Vault Enterprise that allows
-                            Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                            More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                            This will default to Vault.Namespace field if set, or empty otherwise
-                          type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        userPass:
-                          description: UserPass authenticates with Vault by passing username/password pair
-                          properties:
-                            path:
-                              default: user
-                              description: |-
-                                Path where the UserPassword authentication backend is mounted
-                                in Vault, e.g: "user"
-                              type: string
-                            secretRef:
-                              description: |-
-                                SecretRef to a key in a Secret resource containing password for the
-                                user used to authenticate with Vault using the UserPass authentication
-                                method
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                    defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: |-
-                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                    to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: |-
-                                Username is a user name used to authenticate using the UserPass Vault
-                                authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                      type: object
-                    caBundle:
-                      description: |-
-                        PEM encoded CA bundle used to validate Vault server certificate. Only used
-                        if the Server URL is using HTTPS protocol. This parameter is ignored for
-                        plain HTTP protocol connection. If not set the system root certificates
-                        are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: |-
-                            The namespace the Provider type is in.
-                            Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: |-
-                        ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
-                        leader instead of simply retrying within a loop. This can increase performance if
-                        the option is enabled serverside.
-                        https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    headers:
-                      additionalProperties:
-                        type: string
-                      description: Headers to be added in Vault request
-                      type: object
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
-                        Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault KV backend endpoint, e.g:
-                        "secret". The v2 KV secret engine version specific "/data" path suffix
-                        for fetching secrets from Vault is optional and will be appended
-                        if not present in specified path.
-                      type: string
-                    readYourWrites:
-                      description: |-
-                        ReadYourWrites ensures isolated read-after-write semantics by
-                        providing discovered cluster replication states in each request.
-                        More information about eventual consistency in Vault can be found here
-                        https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    tls:
-                      description: |-
-                        The configuration used for client side related TLS communication, when the Vault server
-                        requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-                        This parameter is ignored for plain HTTP protocol connection.
-                        It's worth noting this configuration is different from the "TLS certificates auth method",
-                        which is available under the `auth.cert` section.
-                      properties:
-                        certSecretRef:
-                          description: |-
-                            CertSecretRef is a certificate added to the transport layer
-                            when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                        keySecretRef:
-                          description: |-
-                            KeySecretRef to a key in a Secret resource containing client private key
-                            added to the transport layer when communicating with the Vault server.
-                            If no key for the Secret is specified, external-secret will default to 'tls.key'.
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
-                                defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: |-
-                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
-                                to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    version:
-                      default: v2
-                      description: |-
-                        Version is the Vault KV secret engine version. This can be either "v1" or
-                        "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: |-
-                    Result type defines which data is returned from the generator.
-                    By default it is the "data" section of the Vault API response.
-                    When using e.g. /auth/token/create the "data" section is empty but
-                    the "auth" section contains the generated token.
-                    Please refer to the vault docs regarding the result data structure.
-                  enum:
-                    - Data
-                    - Auth
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
-  labels:
-    external-secrets.io/component: controller
-  name: webhooks.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - webhook
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    shortNames:
-      - webhookl
-    singular: webhook
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            Webhook connects to a third party API server to handle the secrets generation
-            configuration parameters in spec.
-            You can specify the server, the token, and additional body parameters.
-            See documentation for the full API specification for requests and responses.
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
-              properties:
-                body:
-                  description: Body
-                  type: string
-                caBundle:
-                  description: |-
-                    PEM encoded CA bundle used to validate webhook server certificate. Only used
-                    if the Server URL is using HTTPS protocol. This parameter is ignored for
-                    plain HTTP protocol connection. If not set the system root certificates
-                    are used to validate the TLS connection.
-                  format: byte
-                  type: string
-                caProvider:
-                  description: The provider for the CA bundle to use to validate webhook server certificate.
-                  properties:
-                    key:
-                      description: The key the value inside of the provider type to use, only used with "Secret" type
-                      type: string
-                    name:
-                      description: The name of the object located at the provider type.
-                      type: string
-                    namespace:
-                      description: The namespace the Provider type is in.
-                      type: string
-                    type:
-                      description: The type of provider to use such as "Secret", or "ConfigMap".
-                      enum:
-                        - Secret
-                        - ConfigMap
-                      type: string
-                  required:
-                    - name
-                    - type
-                  type: object
-                headers:
-                  additionalProperties:
-                    type: string
-                  description: Headers
-                  type: object
-                method:
-                  description: Webhook Method
-                  type: string
-                result:
-                  description: Result formatting
-                  properties:
-                    jsonPath:
-                      description: Json path of return value
-                      type: string
-                  type: object
-                secrets:
-                  description: |-
-                    Secrets to fill in templates
-                    These secrets will be passed to the templating function as key value pairs under the given name
-                  items:
-                    properties:
-                      name:
-                        description: Name of this secret in templates
-                        type: string
-                      secretRef:
-                        description: Secret ref to fill in credentials
-                        properties:
-                          key:
-                            description: The key where the token is found.
-                            type: string
-                          name:
-                            description: The name of the Secret resource being referred to.
-                            type: string
-                        type: object
-                    required:
-                      - name
-                      - secretRef
-                    type: object
-                  type: array
-                timeout:
-                  description: Timeout
-                  type: string
-                url:
-                  description: Webhook url to call
-                  type: string
-              required:
-                - result
-                - url
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: common-golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "githubaccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    - "webhooks"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: common-golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: common-golang-external-secrets-controller
-subjects:
-  - name: common-golang-external-secrets
-    namespace: default
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: common-golang-external-secrets-leaderelection
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: common-golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: common-golang-external-secrets
-    namespace: default
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-cert-controller
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=common-golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=common-golang-external-secrets-webhook
-          - --secret-namespace=default
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          - --enable-partial-cache=true
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      serviceAccountName: common-golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          - --metrics-addr=:8080
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-      dnsPolicy: ClusterFirst
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: common-golang-external-secrets-webhook
-  namespace: default
-  labels:
-    helm.sh/chart: external-secrets-0.10.0
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.10.0"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: common-golang-external-secrets
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: external-secrets-0.10.0
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: common-golang-external-secrets
-        app.kubernetes.io/version: "v0.10.0"
-        app.kubernetes.io/managed-by: Helm
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-          image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=common-golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          - --loglevel=info
-          - --zap-time-encoding=epoch
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: common-golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: default
-      name: common-golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 14e5c956..00000000
--- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,410 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: common-hashicorp-vault-config
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-internal
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-ui
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: ClusterIP
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: common-hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: common-hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.28.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: common-hashicorp-vault
-        component: server
-      annotations:
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "common-hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: common-hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: common-hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: common-hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: common-hashicorp-vault-server-test
-  namespace: pattern-namespace
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: common-hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://common-hashicorp-vault.pattern-namespace.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 14e5c956..00000000
--- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,410 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: common-hashicorp-vault-config
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-internal
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-ui
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: ClusterIP
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: common-hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: common-hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.28.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: common-hashicorp-vault
-        component: server
-      annotations:
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "common-hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: common-hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: common-hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: common-hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: common-hashicorp-vault-server-test
-  namespace: pattern-namespace
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: common-hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://common-hashicorp-vault.pattern-namespace.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 14e5c956..00000000
--- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,410 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: common-hashicorp-vault-config
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-internal
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-ui
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: ClusterIP
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: common-hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: common-hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.28.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: common-hashicorp-vault
-        component: server
-      annotations:
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "common-hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: common-hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: common-hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: common-hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: common-hashicorp-vault-server-test
-  namespace: pattern-namespace
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: common-hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://common-hashicorp-vault.pattern-namespace.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml
deleted file mode 100644
index 8003384e..00000000
--- a/tests/common-hashicorp-vault-naked.expected.yaml
+++ /dev/null
@@ -1,410 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: common-hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: common-hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: ClusterIP
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: common-hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: common-hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: common-hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.28.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: common-hashicorp-vault
-        component: server
-      annotations:
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "common-hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: common-hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: common-hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.foo.cluster.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: common-hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: common-hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: common-hashicorp-vault-server-test
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: common-hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://common-hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml
deleted file mode 100644
index 14e5c956..00000000
--- a/tests/common-hashicorp-vault-normal.expected.yaml
+++ /dev/null
@@ -1,410 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: common-hashicorp-vault-config
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-internal
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: common-hashicorp-vault-ui
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: ClusterIP
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: common-hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: common-hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.28.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: common-hashicorp-vault
-        component: server
-      annotations:
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "common-hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: common-hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: common-hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).common-hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: common-hashicorp-vault
-  namespace: pattern-namespace
-  labels:
-    helm.sh/chart: vault-0.28.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: common-hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: common-hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: common-hashicorp-vault-server-test
-  namespace: pattern-namespace
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: common-hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://common-hashicorp-vault.pattern-namespace.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/tests/common-install-industrial-edge-factory.expected.yaml b/tests/common-install-industrial-edge-factory.expected.yaml
deleted file mode 100644
index b8ab08c5..00000000
--- a/tests/common-install-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-install-hub
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-install-hub
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: common-install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: common-install-hub,openshift-gitops
diff --git a/tests/common-install-industrial-edge-hub.expected.yaml b/tests/common-install-industrial-edge-hub.expected.yaml
deleted file mode 100644
index b8ab08c5..00000000
--- a/tests/common-install-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-install-hub
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-install-hub
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: common-install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: common-install-hub,openshift-gitops
diff --git a/tests/common-install-medical-diagnosis-hub.expected.yaml b/tests/common-install-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index b8ab08c5..00000000
--- a/tests/common-install-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-install-hub
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-install-hub
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: common-install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: common-install-hub,openshift-gitops
diff --git a/tests/common-install-naked.expected.yaml b/tests/common-install-naked.expected.yaml
deleted file mode 100644
index 5c755fe6..00000000
--- a/tests/common-install-naked.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-install-default
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-install-default
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-default.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: common-install
-        - name: global.hubClusterDomain
-          value: 
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: common-install-default,openshift-gitops
diff --git a/tests/common-install-normal.expected.yaml b/tests/common-install-normal.expected.yaml
deleted file mode 100644
index b8ab08c5..00000000
--- a/tests/common-install-normal.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-install-hub
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-install-hub
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: common-install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: common-install-hub,openshift-gitops
diff --git a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-letsencrypt-naked.expected.yaml b/tests/common-letsencrypt-naked.expected.yaml
deleted file mode 100644
index 73aa94a4..00000000
--- a/tests/common-letsencrypt-naked.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-letsencrypt-normal.expected.yaml b/tests/common-letsencrypt-normal.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/tests/common-letsencrypt-normal.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-operator-install-industrial-edge-factory.expected.yaml b/tests/common-operator-install-industrial-edge-factory.expected.yaml
deleted file mode 100644
index ba97ea46..00000000
--- a/tests/common-operator-install-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-# Source: pattern-install/templates/pattern-operator-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: patterns-operator-config
-  namespace: openshift-operators
-data:
-  gitops.catalogSource: redhat-operators
-  gitops.channel: gitops-1.13
-
-  # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace
-  # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan
-  # gitops.ManualSync: GitOpsDefaultManualSync
-  # gitops.name: GitOpsDefaultPackageName
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: common-operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: hub
-  gitSpec: 
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main 
-  multiSourceConfig:
-    enabled: true
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-operator-install-industrial-edge-hub.expected.yaml b/tests/common-operator-install-industrial-edge-hub.expected.yaml
deleted file mode 100644
index ba97ea46..00000000
--- a/tests/common-operator-install-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-# Source: pattern-install/templates/pattern-operator-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: patterns-operator-config
-  namespace: openshift-operators
-data:
-  gitops.catalogSource: redhat-operators
-  gitops.channel: gitops-1.13
-
-  # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace
-  # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan
-  # gitops.ManualSync: GitOpsDefaultManualSync
-  # gitops.name: GitOpsDefaultPackageName
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: common-operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: hub
-  gitSpec: 
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main 
-  multiSourceConfig:
-    enabled: true
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index ba97ea46..00000000
--- a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-# Source: pattern-install/templates/pattern-operator-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: patterns-operator-config
-  namespace: openshift-operators
-data:
-  gitops.catalogSource: redhat-operators
-  gitops.channel: gitops-1.13
-
-  # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace
-  # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan
-  # gitops.ManualSync: GitOpsDefaultManualSync
-  # gitops.name: GitOpsDefaultPackageName
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: common-operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: hub
-  gitSpec: 
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main 
-  multiSourceConfig:
-    enabled: true
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-operator-install-naked.expected.yaml b/tests/common-operator-install-naked.expected.yaml
deleted file mode 100644
index 7466acc4..00000000
--- a/tests/common-operator-install-naked.expected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-# Source: pattern-install/templates/pattern-operator-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: patterns-operator-config
-  namespace: openshift-operators
-data:
-  gitops.catalogSource: redhat-operators
-  gitops.channel: gitops-1.13
-
-  # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace
-  # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan
-  # gitops.ManualSync: GitOpsDefaultManualSync
-  # gitops.name: GitOpsDefaultPackageName
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: common-operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: default
-  gitSpec: 
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main 
-  multiSourceConfig:
-    enabled: false
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/tests/common-operator-install-normal.expected.yaml b/tests/common-operator-install-normal.expected.yaml
deleted file mode 100644
index ba97ea46..00000000
--- a/tests/common-operator-install-normal.expected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-# Source: pattern-install/templates/pattern-operator-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: patterns-operator-config
-  namespace: openshift-operators
-data:
-  gitops.catalogSource: redhat-operators
-  gitops.channel: gitops-1.13
-
-  # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace
-  # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan
-  # gitops.ManualSync: GitOpsDefaultManualSync
-  # gitops.name: GitOpsDefaultPackageName
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: common-operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: hub
-  gitSpec: 
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main 
-  multiSourceConfig:
-    enabled: true
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace