kcr_external_secrets_io 3.20260124.94613

// WARNING: generated by kopium - manual changes will be overwritten
// kopium command: kopium --docs --derive=Default --derive=PartialEq --smart-derive-elision --filename crd-catalog/external-secrets/external-secrets/external-secrets.io/v1/secretstores.yaml
// kopium version: 0.22.5

#[allow(unused_imports)]
mod prelude {
    pub use kube::CustomResource;
    pub use serde::{Serialize, Deserialize};
    pub use std::collections::BTreeMap;
    pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
}
use self::prelude::*;

/// SecretStoreSpec defines the desired state of SecretStore.
#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
#[kube(group = "external-secrets.io", version = "v1", kind = "SecretStore", plural = "secretstores")]
#[kube(namespaced)]
#[kube(status = "SecretStoreStatus")]
#[kube(schema = "disabled")]
#[kube(derive="Default")]
#[kube(derive="PartialEq")]
pub struct SecretStoreSpec {
    /// Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub conditions: Option<Vec<SecretStoreConditions>>,
    /// Used to select the correct ESO controller (think: ingress.ingressClassName)
    /// The ESO controller is instantiated with a specific controller name and filters ES based on this property
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub controller: Option<String>,
    /// Used to configure the provider. Only one provider may be set
    pub provider: SecretStoreProvider,
    /// Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "refreshInterval")]
    pub refresh_interval: Option<i64>,
    /// Used to configure HTTP retries on failures.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "retrySettings")]
    pub retry_settings: Option<SecretStoreRetrySettings>,
}

/// ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
/// for a ClusterSecretStore instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreConditions {
    /// Choose namespaces by using regex matching
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceRegexes")]
    pub namespace_regexes: Option<Vec<String>>,
    /// Choose namespace using a labelSelector
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
    pub namespace_selector: Option<SecretStoreConditionsNamespaceSelector>,
    /// Choose namespaces by name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespaces: Option<Vec<String>>,
}

/// Choose namespace using a labelSelector
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreConditionsNamespaceSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
    pub match_expressions: Option<Vec<SecretStoreConditionsNamespaceSelectorMatchExpressions>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
    pub match_labels: Option<BTreeMap<String, String>>,
}

/// A label selector requirement is a selector that contains values, a key, and an operator that
/// relates the key and values.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreConditionsNamespaceSelectorMatchExpressions {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values.
    /// Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: String,
    /// values is an array of string values. If the operator is In or NotIn,
    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
    /// the values array must be empty. This array is replaced during a strategic
    /// merge patch.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub values: Option<Vec<String>>,
}

/// Used to configure the provider. Only one provider may be set
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProvider {
    /// Akeyless configures this store to sync secrets using Akeyless Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub akeyless: Option<SecretStoreProviderAkeyless>,
    /// Alibaba configures this store to sync secrets using Alibaba Cloud provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub alibaba: Option<SecretStoreProviderAlibaba>,
    /// AWS configures this store to sync secrets using AWS Secret Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub aws: Option<SecretStoreProviderAws>,
    /// AzureKV configures this store to sync secrets using Azure Key Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub azurekv: Option<SecretStoreProviderAzurekv>,
    /// Barbican configures this store to sync secrets using the OpenStack Barbican provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub barbican: Option<SecretStoreProviderBarbican>,
    /// Beyondtrust configures this store to sync secrets using Password Safe provider.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub beyondtrust: Option<SecretStoreProviderBeyondtrust>,
    /// BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub bitwardensecretsmanager: Option<SecretStoreProviderBitwardensecretsmanager>,
    /// Chef configures this store to sync secrets with chef server
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub chef: Option<SecretStoreProviderChef>,
    /// CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cloudrusm: Option<SecretStoreProviderCloudrusm>,
    /// Conjur configures this store to sync secrets using conjur provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub conjur: Option<SecretStoreProviderConjur>,
    /// Delinea DevOps Secrets Vault
    /// <https://docs.delinea.com/online-help/products/devops-secrets-vault/current>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub delinea: Option<SecretStoreProviderDelinea>,
    /// Device42 configures this store to sync secrets using the Device42 provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub device42: Option<SecretStoreProviderDevice42>,
    /// Doppler configures this store to sync secrets using the Doppler provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub doppler: Option<SecretStoreProviderDoppler>,
    /// DVLS configures this store to sync secrets using Devolutions Server provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub dvls: Option<SecretStoreProviderDvls>,
    /// Fake configures a store with static key/value pairs
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub fake: Option<SecretStoreProviderFake>,
    /// Fortanix configures this store to sync secrets using the Fortanix provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub fortanix: Option<SecretStoreProviderFortanix>,
    /// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gcpsm: Option<SecretStoreProviderGcpsm>,
    /// Github configures this store to push GitHub Actions secrets using the GitHub API provider.
    /// Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub github: Option<SecretStoreProviderGithub>,
    /// GitLab configures this store to sync secrets using GitLab Variables provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gitlab: Option<SecretStoreProviderGitlab>,
    /// IBM configures this store to sync secrets using IBM Cloud provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ibm: Option<SecretStoreProviderIbm>,
    /// Infisical configures this store to sync secrets using the Infisical provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub infisical: Option<SecretStoreProviderInfisical>,
    /// KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub keepersecurity: Option<SecretStoreProviderKeepersecurity>,
    /// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kubernetes: Option<SecretStoreProviderKubernetes>,
    /// Ngrok configures this store to sync secrets using the ngrok provider.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ngrok: Option<SecretStoreProviderNgrok>,
    /// Onboardbase configures this store to sync secrets using the Onboardbase provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub onboardbase: Option<SecretStoreProviderOnboardbase>,
    /// OnePassword configures this store to sync secrets using the 1Password Cloud provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub onepassword: Option<SecretStoreProviderOnepassword>,
    /// OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "onepasswordSDK")]
    pub onepassword_sdk: Option<SecretStoreProviderOnepasswordSdk>,
    /// Oracle configures this store to sync secrets using Oracle Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub oracle: Option<SecretStoreProviderOracle>,
    /// PassboltProvider provides access to Passbolt secrets manager.
    /// See: <https://www.passbolt.com.>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub passbolt: Option<SecretStoreProviderPassbolt>,
    /// PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub passworddepot: Option<SecretStoreProviderPassworddepot>,
    /// Previder configures this store to sync secrets using the Previder provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub previder: Option<SecretStoreProviderPrevider>,
    /// Pulumi configures this store to sync secrets using the Pulumi provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub pulumi: Option<SecretStoreProviderPulumi>,
    /// Scaleway configures this store to sync secrets using the Scaleway provider.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub scaleway: Option<SecretStoreProviderScaleway>,
    /// SecretServer configures this store to sync secrets using SecretServer provider
    /// <https://docs.delinea.com/online-help/secret-server/start.htm>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secretserver: Option<SecretStoreProviderSecretserver>,
    /// Senhasegura configures this store to sync secrets using senhasegura provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub senhasegura: Option<SecretStoreProviderSenhasegura>,
    /// Vault configures this store to sync secrets using the HashiCorp Vault provider.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub vault: Option<SecretStoreProviderVault>,
    /// Volcengine configures this store to sync secrets using the Volcengine provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub volcengine: Option<SecretStoreProviderVolcengine>,
    /// Webhook configures this store to sync secrets using a generic templated webhook
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub webhook: Option<SecretStoreProviderWebhook>,
    /// YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub yandexcertificatemanager: Option<SecretStoreProviderYandexcertificatemanager>,
    /// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub yandexlockbox: Option<SecretStoreProviderYandexlockbox>,
}

/// Akeyless configures this store to sync secrets using Akeyless Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeyless {
    /// Akeyless GW API Url from which the secrets to be fetched from.
    #[serde(rename = "akeylessGWApiURL")]
    pub akeyless_gw_api_url: String,
    /// Auth configures how the operator authenticates with Akeyless.
    #[serde(rename = "authSecretRef")]
    pub auth_secret_ref: SecretStoreProviderAkeylessAuthSecretRef,
    /// PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
    /// if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderAkeylessCaProvider>,
}

/// Auth configures how the operator authenticates with Akeyless.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRef {
    /// Kubernetes authenticates with Akeyless by passing the ServiceAccount
    /// token stored in the named Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesAuth")]
    pub kubernetes_auth: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuth>,
    /// Reference to a Secret that contains the details
    /// to authenticate with Akeyless.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRef>,
}

/// Kubernetes authenticates with Akeyless by passing the ServiceAccount
/// token stored in the named Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuth {
    /// the Akeyless Kubernetes auth-method access-id
    #[serde(rename = "accessID")]
    pub access_id: String,
    /// Kubernetes-auth configuration name in Akeyless-Gateway
    #[serde(rename = "k8sConfName")]
    pub k8s_conf_name: String,
    /// Optional secret field containing a Kubernetes ServiceAccount JWT used
    /// for authenticating with Akeyless. If a name is specified without a key,
    /// `token` is the default. If one is not specified, the one bound to
    /// the controller will be used.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthSecretRef>,
    /// Optional service account field containing the name of a kubernetes ServiceAccount.
    /// If the service account is specified, the service account secret token JWT will be used
    /// for authenticating with Akeyless. If the service account selector is not supplied,
    /// the secretRef will be used instead.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthServiceAccountRef>,
}

/// Optional secret field containing a Kubernetes ServiceAccount JWT used
/// for authenticating with Akeyless. If a name is specified without a key,
/// `token` is the default. If one is not specified, the one bound to
/// the controller will be used.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional service account field containing the name of a kubernetes ServiceAccount.
/// If the service account is specified, the service account secret token JWT will be used
/// for authenticating with Akeyless. If the service account selector is not supplied,
/// the secretRef will be used instead.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Reference to a Secret that contains the details
/// to authenticate with Akeyless.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRef {
    /// The SecretAccessID is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessID")]
    pub access_id: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessId>,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessType")]
    pub access_type: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessType>,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessTypeParam")]
    pub access_type_param: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessTypeParam>,
}

/// The SecretAccessID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessType {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessTypeParam {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderAkeylessCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderAkeylessCaProviderType,
}

/// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAkeylessCaProviderType {
    Secret,
    ConfigMap,
}

/// Alibaba configures this store to sync secrets using Alibaba Cloud provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibaba {
    /// AlibabaAuth contains a secretRef for credentials.
    pub auth: SecretStoreProviderAlibabaAuth,
    /// Alibaba Region to be used for the provider
    #[serde(rename = "regionID")]
    pub region_id: String,
}

/// AlibabaAuth contains a secretRef for credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuth {
    /// AlibabaRRSAAuth authenticates against Alibaba using RRSA.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub rrsa: Option<SecretStoreProviderAlibabaAuthRrsa>,
    /// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAlibabaAuthSecretRef>,
}

/// AlibabaRRSAAuth authenticates against Alibaba using RRSA.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthRrsa {
    #[serde(rename = "oidcProviderArn")]
    pub oidc_provider_arn: String,
    #[serde(rename = "oidcTokenFilePath")]
    pub oidc_token_file_path: String,
    #[serde(rename = "roleArn")]
    pub role_arn: String,
    #[serde(rename = "sessionName")]
    pub session_name: String,
}

/// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: SecretStoreProviderAlibabaAuthSecretRefAccessKeyIdSecretRef,
    /// The AccessKeySecret is used for authentication
    #[serde(rename = "accessKeySecretSecretRef")]
    pub access_key_secret_secret_ref: SecretStoreProviderAlibabaAuthSecretRefAccessKeySecretSecretRef,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The AccessKeySecret is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRefAccessKeySecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AWS configures this store to sync secrets using AWS Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderAws {
    /// AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "additionalRoles")]
    pub additional_roles: Option<Vec<String>>,
    /// Auth defines the information necessary to authenticate against AWS
    /// if not set aws sdk will infer credentials from your environment
    /// see: <https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderAwsAuth>,
    /// AWS External ID set on assumed IAM roles
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalID")]
    pub external_id: Option<String>,
    /// Prefix adds a prefix to all retrieved values.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub prefix: Option<String>,
    /// AWS Region to be used for the provider
    pub region: String,
    /// Role is a Role ARN which the provider will assume
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    /// SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretsManager")]
    pub secrets_manager: Option<SecretStoreProviderAwsSecretsManager>,
    /// Service defines which service should be used to fetch the secrets
    pub service: SecretStoreProviderAwsService,
    /// AWS STS assume role session tags
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "sessionTags")]
    pub session_tags: Option<Vec<SecretStoreProviderAwsSessionTags>>,
    /// AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "transitiveTagKeys")]
    pub transitive_tag_keys: Option<Vec<String>>,
}

/// Auth defines the information necessary to authenticate against AWS
/// if not set aws sdk will infer credentials from your environment
/// see: <https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuth {
    /// AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderAwsAuthJwt>,
    /// AWSAuthSecretRef holds secret references for AWS credentials
    /// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAwsAuthSecretRef>,
}

/// AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthJwt {
    /// ServiceAccountSelector is a reference to a ServiceAccount resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAwsAuthJwtServiceAccountRef>,
}

/// ServiceAccountSelector is a reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthJwtServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AWSAuthSecretRef holds secret references for AWS credentials
/// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: Option<SecretStoreProviderAwsAuthSecretRefAccessKeyIdSecretRef>,
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderAwsAuthSecretRefSecretAccessKeySecretRef>,
    /// The SessionToken used for authentication
    /// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
    /// see: <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "sessionTokenSecretRef")]
    pub session_token_secret_ref: Option<SecretStoreProviderAwsAuthSecretRefSessionTokenSecretRef>,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The SessionToken used for authentication
/// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
/// see: <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRefSessionTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsSecretsManager {
    /// Specifies whether to delete the secret without any recovery window. You
    /// can't use both this parameter and RecoveryWindowInDays in the same call.
    /// If you don't use either, then by default Secrets Manager uses a 30 day
    /// recovery window.
    /// see: <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "forceDeleteWithoutRecovery")]
    pub force_delete_without_recovery: Option<bool>,
    /// The number of days from 7 to 30 that Secrets Manager waits before
    /// permanently deleting the secret. You can't use both this parameter and
    /// ForceDeleteWithoutRecovery in the same call. If you don't use either,
    /// then by default Secrets Manager uses a 30-day recovery window.
    /// see: <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "recoveryWindowInDays")]
    pub recovery_window_in_days: Option<i64>,
}

/// AWS configures this store to sync secrets using AWS Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAwsService {
    SecretsManager,
    ParameterStore,
}

/// Tag is a key-value pair that can be attached to an AWS resource.
/// see: <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsSessionTags {
    pub key: String,
    pub value: String,
}

/// AzureKV configures this store to sync secrets using Azure Key Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekv {
    /// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authSecretRef")]
    pub auth_secret_ref: Option<SecretStoreProviderAzurekvAuthSecretRef>,
    /// Auth type defines how to authenticate to the keyvault service.
    /// Valid values are:
    /// - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
    /// - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authType")]
    pub auth_type: Option<SecretStoreProviderAzurekvAuthType>,
    /// CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
    /// Required when EnvironmentType is AzureStackCloud.
    /// Optional for other environment types - useful for Azure China when using Workload Identity
    /// with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
    /// standard China Cloud endpoint (login.chinacloudapi.cn).
    /// IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
    /// configuration is not supported with the legacy go-autorest SDK.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "customCloudConfig")]
    pub custom_cloud_config: Option<SecretStoreProviderAzurekvCustomCloudConfig>,
    /// EnvironmentType specifies the Azure cloud environment endpoints to use for
    /// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
    /// The following endpoints are available, also see here: <https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152>
    /// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
    /// Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "environmentType")]
    pub environment_type: Option<SecretStoreProviderAzurekvEnvironmentType>,
    /// If multiple Managed Identity is assigned to the pod, you can select the one to be used
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "identityId")]
    pub identity_id: Option<String>,
    /// ServiceAccountRef specified the service account
    /// that should be used when authenticating with WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAzurekvServiceAccountRef>,
    /// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantId")]
    pub tenant_id: Option<String>,
    /// UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
    /// This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "useAzureSDK")]
    pub use_azure_sdk: Option<bool>,
    /// Vault Url from which the secrets to be fetched from.
    #[serde(rename = "vaultUrl")]
    pub vault_url: String,
}

/// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRef {
    /// The Azure ClientCertificate of the service principle used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCertificate")]
    pub client_certificate: Option<SecretStoreProviderAzurekvAuthSecretRefClientCertificate>,
    /// The Azure clientId of the service principle or managed identity used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientId")]
    pub client_id: Option<SecretStoreProviderAzurekvAuthSecretRefClientId>,
    /// The Azure ClientSecret of the service principle used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientSecret")]
    pub client_secret: Option<SecretStoreProviderAzurekvAuthSecretRefClientSecret>,
    /// The Azure tenantId of the managed identity used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantId")]
    pub tenant_id: Option<SecretStoreProviderAzurekvAuthSecretRefTenantId>,
}

/// The Azure ClientCertificate of the service principle used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefClientCertificate {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The Azure clientId of the service principle or managed identity used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefClientId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The Azure ClientSecret of the service principle used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefClientSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The Azure tenantId of the managed identity used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefTenantId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AzureKV configures this store to sync secrets using Azure Key Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAzurekvAuthType {
    ServicePrincipal,
    ManagedIdentity,
    WorkloadIdentity,
}

/// CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
/// Required when EnvironmentType is AzureStackCloud.
/// Optional for other environment types - useful for Azure China when using Workload Identity
/// with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
/// standard China Cloud endpoint (login.chinacloudapi.cn).
/// IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
/// configuration is not supported with the legacy go-autorest SDK.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvCustomCloudConfig {
    /// ActiveDirectoryEndpoint is the AAD endpoint for authentication
    /// Required when using custom cloud configuration
    #[serde(rename = "activeDirectoryEndpoint")]
    pub active_directory_endpoint: String,
    /// KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyVaultDNSSuffix")]
    pub key_vault_dns_suffix: Option<String>,
    /// KeyVaultEndpoint is the Key Vault service endpoint
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyVaultEndpoint")]
    pub key_vault_endpoint: Option<String>,
    /// ResourceManagerEndpoint is the Azure Resource Manager endpoint
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceManagerEndpoint")]
    pub resource_manager_endpoint: Option<String>,
}

/// AzureKV configures this store to sync secrets using Azure Key Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAzurekvEnvironmentType {
    PublicCloud,
    #[serde(rename = "USGovernmentCloud")]
    UsGovernmentCloud,
    ChinaCloud,
    GermanCloud,
    AzureStackCloud,
}

/// ServiceAccountRef specified the service account
/// that should be used when authenticating with WorkloadIdentity.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Barbican configures this store to sync secrets using the OpenStack Barbican provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbican {
    /// BarbicanAuth contains the authentication information for Barbican.
    pub auth: SecretStoreProviderBarbicanAuth,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authURL")]
    pub auth_url: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "domainName")]
    pub domain_name: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantName")]
    pub tenant_name: Option<String>,
}

/// BarbicanAuth contains the authentication information for Barbican.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbicanAuth {
    /// BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
    pub password: SecretStoreProviderBarbicanAuthPassword,
    /// BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
    pub username: SecretStoreProviderBarbicanAuthUsername,
}

/// BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbicanAuthPassword {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderBarbicanAuthPasswordSecretRef,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbicanAuthPasswordSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbicanAuthUsername {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBarbicanAuthUsernameSecretRef>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBarbicanAuthUsernameSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Beyondtrust configures this store to sync secrets using Password Safe provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrust {
    /// Auth configures how the operator authenticates with Beyondtrust.
    pub auth: SecretStoreProviderBeyondtrustAuth,
    /// Auth configures how API server works.
    pub server: SecretStoreProviderBeyondtrustServer,
}

/// Auth configures how the operator authenticates with Beyondtrust.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuth {
    /// APIKey If not provided then ClientID/ClientSecret become required.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")]
    pub api_key: Option<SecretStoreProviderBeyondtrustAuthApiKey>,
    /// Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub certificate: Option<SecretStoreProviderBeyondtrustAuthCertificate>,
    /// Certificate private key (key.pem). For use when authenticating with an OAuth client Id
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "certificateKey")]
    pub certificate_key: Option<SecretStoreProviderBeyondtrustAuthCertificateKey>,
    /// ClientID is the API OAuth Client ID.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientId")]
    pub client_id: Option<SecretStoreProviderBeyondtrustAuthClientId>,
    /// ClientSecret is the API OAuth Client Secret.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientSecret")]
    pub client_secret: Option<SecretStoreProviderBeyondtrustAuthClientSecret>,
}

/// APIKey If not provided then ClientID/ClientSecret become required.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthApiKey {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBeyondtrustAuthApiKeySecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthApiKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthCertificate {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBeyondtrustAuthCertificateSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthCertificateSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Certificate private key (key.pem). For use when authenticating with an OAuth client Id
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthCertificateKey {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBeyondtrustAuthCertificateKeySecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthCertificateKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// ClientID is the API OAuth Client ID.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthClientId {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBeyondtrustAuthClientIdSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthClientIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// ClientSecret is the API OAuth Client Secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthClientSecret {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderBeyondtrustAuthClientSecretSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustAuthClientSecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Auth configures how API server works.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBeyondtrustServer {
    #[serde(rename = "apiUrl")]
    pub api_url: String,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")]
    pub api_version: Option<String>,
    /// Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientTimeOutSeconds")]
    pub client_time_out_seconds: Option<i64>,
    /// When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub decrypt: Option<bool>,
    /// The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "retrievalType")]
    pub retrieval_type: Option<String>,
    /// A character that separates the folder names.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub separator: Option<String>,
    #[serde(rename = "verifyCA")]
    pub verify_ca: bool,
}

/// BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBitwardensecretsmanager {
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiURL")]
    pub api_url: Option<String>,
    /// Auth configures how secret-manager authenticates with a bitwarden machine account instance.
    /// Make sure that the token being used has permissions on the given secret.
    pub auth: SecretStoreProviderBitwardensecretsmanagerAuth,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "bitwardenServerSDKURL")]
    pub bitwarden_server_sdkurl: Option<String>,
    /// Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
    /// can be performed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderBitwardensecretsmanagerCaProvider>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "identityURL")]
    pub identity_url: Option<String>,
    /// OrganizationID determines which organization this secret store manages.
    #[serde(rename = "organizationID")]
    pub organization_id: String,
    /// ProjectID determines which project this secret store manages.
    #[serde(rename = "projectID")]
    pub project_id: String,
}

/// Auth configures how secret-manager authenticates with a bitwarden machine account instance.
/// Make sure that the token being used has permissions on the given secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBitwardensecretsmanagerAuth {
    /// BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderBitwardensecretsmanagerAuthSecretRef,
}

/// BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBitwardensecretsmanagerAuthSecretRef {
    /// AccessToken used for the bitwarden instance.
    pub credentials: SecretStoreProviderBitwardensecretsmanagerAuthSecretRefCredentials,
}

/// AccessToken used for the bitwarden instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderBitwardensecretsmanagerAuthSecretRefCredentials {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderBitwardensecretsmanagerCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderBitwardensecretsmanagerCaProviderType,
}

/// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderBitwardensecretsmanagerCaProviderType {
    Secret,
    ConfigMap,
}

/// Chef configures this store to sync secrets with chef server
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderChef {
    /// Auth defines the information necessary to authenticate against chef Server
    pub auth: SecretStoreProviderChefAuth,
    /// ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
    #[serde(rename = "serverUrl")]
    pub server_url: String,
    /// UserName should be the user ID on the chef server
    pub username: String,
}

/// Auth defines the information necessary to authenticate against chef Server
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderChefAuth {
    /// ChefAuthSecretRef holds secret references for chef server login credentials.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderChefAuthSecretRef,
}

/// ChefAuthSecretRef holds secret references for chef server login credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderChefAuthSecretRef {
    /// SecretKey is the Signing Key in PEM format, used for authentication.
    #[serde(rename = "privateKeySecretRef")]
    pub private_key_secret_ref: SecretStoreProviderChefAuthSecretRefPrivateKeySecretRef,
}

/// SecretKey is the Signing Key in PEM format, used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderChefAuthSecretRefPrivateKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderCloudrusm {
    /// CSMAuth contains a secretRef for credentials.
    pub auth: SecretStoreProviderCloudrusmAuth,
    /// ProjectID is the project, which the secrets are stored in.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
}

/// CSMAuth contains a secretRef for credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderCloudrusmAuth {
    /// CSMAuthSecretRef holds secret references for Cloud.ru credentials.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderCloudrusmAuthSecretRef>,
}

/// CSMAuthSecretRef holds secret references for Cloud.ru credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderCloudrusmAuthSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: SecretStoreProviderCloudrusmAuthSecretRefAccessKeyIdSecretRef,
    /// The AccessKeySecret is used for authentication
    #[serde(rename = "accessKeySecretSecretRef")]
    pub access_key_secret_secret_ref: SecretStoreProviderCloudrusmAuthSecretRefAccessKeySecretSecretRef,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderCloudrusmAuthSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The AccessKeySecret is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderCloudrusmAuthSecretRefAccessKeySecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Conjur configures this store to sync secrets using conjur provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjur {
    /// Defines authentication settings for connecting to Conjur.
    pub auth: SecretStoreProviderConjurAuth,
    /// CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// Used to provide custom certificate authority (CA) certificates
    /// for a secret store. The CAProvider points to a Secret or ConfigMap resource
    /// that contains a PEM-encoded certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderConjurCaProvider>,
    /// URL is the endpoint of the Conjur instance.
    pub url: String,
}

/// Defines authentication settings for connecting to Conjur.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuth {
    /// Authenticates with Conjur using an API key.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub apikey: Option<SecretStoreProviderConjurAuthApikey>,
    /// Jwt enables JWT authentication using Kubernetes service account tokens.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderConjurAuthJwt>,
}

/// Authenticates with Conjur using an API key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthApikey {
    /// Account is the Conjur organization account name.
    pub account: String,
    /// A reference to a specific 'key' containing the Conjur API key
    /// within a Secret resource. In some instances, `key` is a required field.
    #[serde(rename = "apiKeyRef")]
    pub api_key_ref: SecretStoreProviderConjurAuthApikeyApiKeyRef,
    /// A reference to a specific 'key' containing the Conjur username
    /// within a Secret resource. In some instances, `key` is a required field.
    #[serde(rename = "userRef")]
    pub user_ref: SecretStoreProviderConjurAuthApikeyUserRef,
}

/// A reference to a specific 'key' containing the Conjur API key
/// within a Secret resource. In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthApikeyApiKeyRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// A reference to a specific 'key' containing the Conjur username
/// within a Secret resource. In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthApikeyUserRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Jwt enables JWT authentication using Kubernetes service account tokens.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthJwt {
    /// Account is the Conjur organization account name.
    pub account: String,
    /// Optional HostID for JWT authentication. This may be used depending
    /// on how the Conjur JWT authenticator policy is configured.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostId")]
    pub host_id: Option<String>,
    /// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
    /// authenticate with Conjur using the JWT authentication method.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderConjurAuthJwtSecretRef>,
    /// Optional ServiceAccountRef specifies the Kubernetes service account for which to request
    /// a token for with the `TokenRequest` API.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderConjurAuthJwtServiceAccountRef>,
    /// The conjur authn jwt webservice id
    #[serde(rename = "serviceID")]
    pub service_id: String,
}

/// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
/// authenticate with Conjur using the JWT authentication method.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthJwtSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional ServiceAccountRef specifies the Kubernetes service account for which to request
/// a token for with the `TokenRequest` API.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderConjurAuthJwtServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Used to provide custom certificate authority (CA) certificates
/// for a secret store. The CAProvider points to a Secret or ConfigMap resource
/// that contains a PEM-encoded certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderConjurCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderConjurCaProviderType,
}

/// Used to provide custom certificate authority (CA) certificates
/// for a secret store. The CAProvider points to a Secret or ConfigMap resource
/// that contains a PEM-encoded certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderConjurCaProviderType {
    Secret,
    ConfigMap,
}

/// Delinea DevOps Secrets Vault
/// <https://docs.delinea.com/online-help/products/devops-secrets-vault/current>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDelinea {
    /// ClientID is the non-secret part of the credential.
    #[serde(rename = "clientId")]
    pub client_id: SecretStoreProviderDelineaClientId,
    /// ClientSecret is the secret part of the credential.
    #[serde(rename = "clientSecret")]
    pub client_secret: SecretStoreProviderDelineaClientSecret,
    /// Tenant is the chosen hostname / site name.
    pub tenant: String,
    /// TLD is based on the server location that was chosen during provisioning.
    /// If unset, defaults to "com".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub tld: Option<String>,
    /// URLTemplate
    /// If unset, defaults to "<https://%s.secretsvaultcloud.%s/v1/%s%s".>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "urlTemplate")]
    pub url_template: Option<String>,
}

/// ClientID is the non-secret part of the credential.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDelineaClientId {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderDelineaClientIdSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDelineaClientIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// ClientSecret is the secret part of the credential.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDelineaClientSecret {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderDelineaClientSecretSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDelineaClientSecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Device42 configures this store to sync secrets using the Device42 provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDevice42 {
    /// Auth configures how secret-manager authenticates with a Device42 instance.
    pub auth: SecretStoreProviderDevice42Auth,
    /// URL configures the Device42 instance URL.
    pub host: String,
}

/// Auth configures how secret-manager authenticates with a Device42 instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDevice42Auth {
    /// Device42SecretRef contains the secret reference for accessing the Device42 instance.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderDevice42AuthSecretRef,
}

/// Device42SecretRef contains the secret reference for accessing the Device42 instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDevice42AuthSecretRef {
    /// Username / Password is used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub credentials: Option<SecretStoreProviderDevice42AuthSecretRefCredentials>,
}

/// Username / Password is used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDevice42AuthSecretRefCredentials {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Doppler configures this store to sync secrets using the Doppler provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDoppler {
    /// Auth configures how the Operator authenticates with the Doppler API
    pub auth: SecretStoreProviderDopplerAuth,
    /// Doppler config (required if not using a Service Token)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub config: Option<String>,
    /// Format enables the downloading of secrets as a file (string)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub format: Option<SecretStoreProviderDopplerFormat>,
    /// Environment variable compatible name transforms that change secret names to a different format
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "nameTransformer")]
    pub name_transformer: Option<SecretStoreProviderDopplerNameTransformer>,
    /// Doppler project (required if not using a Service Token)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub project: Option<String>,
}

/// Auth configures how the Operator authenticates with the Doppler API
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDopplerAuth {
    /// OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "oidcConfig")]
    pub oidc_config: Option<SecretStoreProviderDopplerAuthOidcConfig>,
    /// SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderDopplerAuthSecretRef>,
}

/// OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDopplerAuthOidcConfig {
    /// ExpirationSeconds sets the ServiceAccount token validity duration.
    /// Defaults to 10 minutes.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "expirationSeconds")]
    pub expiration_seconds: Option<i64>,
    /// Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
    pub identity: String,
    /// ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderDopplerAuthOidcConfigServiceAccountRef,
}

/// ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDopplerAuthOidcConfigServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDopplerAuthSecretRef {
    /// The DopplerToken is used for authentication.
    /// See <https://docs.doppler.com/reference/api#authentication> for auth token types.
    /// The Key attribute defaults to dopplerToken if not specified.
    #[serde(rename = "dopplerToken")]
    pub doppler_token: SecretStoreProviderDopplerAuthSecretRefDopplerToken,
}

/// The DopplerToken is used for authentication.
/// See <https://docs.doppler.com/reference/api#authentication> for auth token types.
/// The Key attribute defaults to dopplerToken if not specified.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDopplerAuthSecretRefDopplerToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Doppler configures this store to sync secrets using the Doppler provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderDopplerFormat {
    #[serde(rename = "json")]
    Json,
    #[serde(rename = "dotnet-json")]
    DotnetJson,
    #[serde(rename = "env")]
    Env,
    #[serde(rename = "yaml")]
    Yaml,
    #[serde(rename = "docker")]
    Docker,
}

/// Doppler configures this store to sync secrets using the Doppler provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderDopplerNameTransformer {
    #[serde(rename = "upper-camel")]
    UpperCamel,
    #[serde(rename = "camel")]
    Camel,
    #[serde(rename = "lower-snake")]
    LowerSnake,
    #[serde(rename = "tf-var")]
    TfVar,
    #[serde(rename = "dotnet-env")]
    DotnetEnv,
    #[serde(rename = "lower-kebab")]
    LowerKebab,
}

/// DVLS configures this store to sync secrets using Devolutions Server provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDvls {
    /// Auth defines the authentication method to use.
    pub auth: SecretStoreProviderDvlsAuth,
    /// Insecure allows connecting to DVLS over plain HTTP.
    /// This is NOT RECOMMENDED for production use.
    /// Set to true only if you understand the security implications.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub insecure: Option<bool>,
    /// ServerURL is the DVLS instance URL (e.g., <https://dvls.example.com).>
    #[serde(rename = "serverUrl")]
    pub server_url: String,
}

/// Auth defines the authentication method to use.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDvlsAuth {
    /// SecretRef contains the Application ID and Application Secret for authentication.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderDvlsAuthSecretRef,
}

/// SecretRef contains the Application ID and Application Secret for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDvlsAuthSecretRef {
    /// AppID is the reference to the secret containing the Application ID.
    #[serde(rename = "appId")]
    pub app_id: SecretStoreProviderDvlsAuthSecretRefAppId,
    /// AppSecret is the reference to the secret containing the Application Secret.
    #[serde(rename = "appSecret")]
    pub app_secret: SecretStoreProviderDvlsAuthSecretRefAppSecret,
}

/// AppID is the reference to the secret containing the Application ID.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDvlsAuthSecretRefAppId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AppSecret is the reference to the secret containing the Application Secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderDvlsAuthSecretRefAppSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Fake configures a store with static key/value pairs
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFake {
    pub data: Vec<SecretStoreProviderFakeData>,
    /// ValidationResult is defined type for the number of validation results.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "validationResult")]
    pub validation_result: Option<i64>,
}

/// FakeProviderData defines a key-value pair with optional version for the fake provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFakeData {
    pub key: String,
    pub value: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}

/// Fortanix configures this store to sync secrets using the Fortanix provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFortanix {
    /// APIKey is the API token to access SDKMS Applications.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")]
    pub api_key: Option<SecretStoreProviderFortanixApiKey>,
    /// APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiUrl")]
    pub api_url: Option<String>,
}

/// APIKey is the API token to access SDKMS Applications.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFortanixApiKey {
    /// SecretRef is a reference to a secret containing the SDKMS API Key.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderFortanixApiKeySecretRef>,
}

/// SecretRef is a reference to a secret containing the SDKMS API Key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFortanixApiKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsm {
    /// Auth defines the information necessary to authenticate against GCP
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderGcpsmAuth>,
    /// Location optionally defines a location for a secret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub location: Option<String>,
    /// ProjectID project where secret is located
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
    /// SecretVersionSelectionPolicy specifies how the provider selects a secret version
    /// when "latest" is disabled or destroyed.
    /// Possible values are:
    /// - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
    /// - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretVersionSelectionPolicy")]
    pub secret_version_selection_policy: Option<String>,
}

/// Auth defines the information necessary to authenticate against GCP
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuth {
    /// GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderGcpsmAuthSecretRef>,
    /// GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "workloadIdentity")]
    pub workload_identity: Option<SecretStoreProviderGcpsmAuthWorkloadIdentity>,
    /// GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "workloadIdentityFederation")]
    pub workload_identity_federation: Option<SecretStoreProviderGcpsmAuthWorkloadIdentityFederation>,
}

/// GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthSecretRef {
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderGcpsmAuthSecretRefSecretAccessKeySecretRef>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentity {
    /// ClusterLocation is the location of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterLocation")]
    pub cluster_location: Option<String>,
    /// ClusterName is the name of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterName")]
    pub cluster_name: Option<String>,
    /// ClusterProjectID is the project ID of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterProjectID")]
    pub cluster_project_id: Option<String>,
    /// ServiceAccountSelector is a reference to a ServiceAccount resource.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderGcpsmAuthWorkloadIdentityServiceAccountRef,
}

/// ServiceAccountSelector is a reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityFederation {
    /// audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
    /// If specified, Audience found in the external account credential config will be overridden with the configured value.
    /// audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audience: Option<String>,
    /// awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
    /// when using the AWS metadata server is not an option.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "awsSecurityCredentials")]
    pub aws_security_credentials: Option<SecretStoreProviderGcpsmAuthWorkloadIdentityFederationAwsSecurityCredentials>,
    /// credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
    /// For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
    /// serviceAccountRef must be used by providing operators service account details.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "credConfig")]
    pub cred_config: Option<SecretStoreProviderGcpsmAuthWorkloadIdentityFederationCredConfig>,
    /// externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
    /// credential_source.url in the provided credConfig. This field is merely to double-check the external token source
    /// URL is having the expected value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalTokenEndpoint")]
    pub external_token_endpoint: Option<String>,
    /// serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
    /// when Kubernetes is configured as provider in workload identity pool.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderGcpsmAuthWorkloadIdentityFederationServiceAccountRef>,
}

/// awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
/// when using the AWS metadata server is not an option.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityFederationAwsSecurityCredentials {
    /// awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
    /// Secret should be created with below names for keys
    /// - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
    /// - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
    /// - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
    #[serde(rename = "awsCredentialsSecretRef")]
    pub aws_credentials_secret_ref: SecretStoreProviderGcpsmAuthWorkloadIdentityFederationAwsSecurityCredentialsAwsCredentialsSecretRef,
    /// region is for configuring the AWS region to be used.
    pub region: String,
}

/// awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
/// Secret should be created with below names for keys
/// - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
/// - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
/// - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityFederationAwsSecurityCredentialsAwsCredentialsSecretRef {
    /// name of the secret.
    pub name: String,
    /// namespace in which the secret exists. If empty, secret will looked up in local namespace.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
/// For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
/// serviceAccountRef must be used by providing operators service account details.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityFederationCredConfig {
    /// key name holding the external account credential config.
    pub key: String,
    /// name of the configmap.
    pub name: String,
    /// namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
/// when Kubernetes is configured as provider in workload identity pool.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityFederationServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Github configures this store to push GitHub Actions secrets using the GitHub API provider.
/// Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGithub {
    /// appID specifies the Github APP that will be used to authenticate the client
    #[serde(rename = "appID")]
    pub app_id: i64,
    /// auth configures how secret-manager authenticates with a Github instance.
    pub auth: SecretStoreProviderGithubAuth,
    /// environment will be used to fetch secrets from a particular environment within a github repository
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub environment: Option<String>,
    /// installationID specifies the Github APP installation that will be used to authenticate the client
    #[serde(rename = "installationID")]
    pub installation_id: i64,
    /// organization will be used to fetch secrets from the Github organization
    pub organization: String,
    /// repository will be used to fetch secrets from the Github repository within an organization
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub repository: Option<String>,
    /// Upload URL for enterprise instances. Default to URL.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "uploadURL")]
    pub upload_url: Option<String>,
    /// URL configures the Github instance URL. Defaults to <https://github.com/.>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
}

/// auth configures how secret-manager authenticates with a Github instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGithubAuth {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "privateKey")]
    pub private_key: SecretStoreProviderGithubAuthPrivateKey,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGithubAuthPrivateKey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GitLab configures this store to sync secrets using GitLab Variables provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlab {
    /// Auth configures how secret-manager authenticates with a GitLab instance.
    pub auth: SecretStoreProviderGitlabAuth,
    /// Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
    /// can be performed.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderGitlabCaProvider>,
    /// Environment environment_scope of gitlab CI/CD variables (Please see <https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment> on how to create environments)
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub environment: Option<String>,
    /// GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "groupIDs")]
    pub group_i_ds: Option<Vec<String>>,
    /// InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "inheritFromGroups")]
    pub inherit_from_groups: Option<bool>,
    /// ProjectID specifies a project where secrets are located.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
    /// URL configures the GitLab instance URL. Defaults to <https://gitlab.com/.>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
}

/// Auth configures how secret-manager authenticates with a GitLab instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuth {
    /// GitlabSecretRef contains the secret reference for GitLab authentication credentials.
    #[serde(rename = "SecretRef")]
    pub secret_ref: SecretStoreProviderGitlabAuthSecretRef,
}

/// GitlabSecretRef contains the secret reference for GitLab authentication credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuthSecretRef {
    /// AccessToken is used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessToken")]
    pub access_token: Option<SecretStoreProviderGitlabAuthSecretRefAccessToken>,
}

/// AccessToken is used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuthSecretRefAccessToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderGitlabCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderGitlabCaProviderType,
}

/// see: <https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderGitlabCaProviderType {
    Secret,
    ConfigMap,
}

/// IBM configures this store to sync secrets using IBM Cloud provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbm {
    /// Auth configures how secret-manager authenticates with the IBM secrets manager.
    pub auth: SecretStoreProviderIbmAuth,
    /// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceUrl")]
    pub service_url: Option<String>,
}

/// Auth configures how secret-manager authenticates with the IBM secrets manager.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuth {
    /// IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "containerAuth")]
    pub container_auth: Option<SecretStoreProviderIbmAuthContainerAuth>,
    /// IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderIbmAuthSecretRef>,
}

/// IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuthContainerAuth {
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "iamEndpoint")]
    pub iam_endpoint: Option<String>,
    /// the IBM Trusted Profile
    pub profile: String,
    /// Location the token is mounted on the pod
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenLocation")]
    pub token_location: Option<String>,
}

/// IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuthSecretRef {
    /// The IAM endpoint used to obain a token
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "iamEndpoint")]
    pub iam_endpoint: Option<String>,
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretApiKeySecretRef")]
    pub secret_api_key_secret_ref: Option<SecretStoreProviderIbmAuthSecretRefSecretApiKeySecretRef>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuthSecretRefSecretApiKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Infisical configures this store to sync secrets using the Infisical provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisical {
    /// Auth configures how the Operator authenticates with the Infisical API
    pub auth: SecretStoreProviderInfisicalAuth,
    /// CABundle is a PEM-encoded CA certificate bundle used to validate
    /// the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
    /// The certificate is used to validate the Infisical server's TLS certificate.
    /// Mutually exclusive with CABundle.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderInfisicalCaProvider>,
    /// HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "<https://app.infisical.com/api".>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostAPI")]
    pub host_api: Option<String>,
    /// SecretsScope defines the scope of the secrets within the workspace
    #[serde(rename = "secretsScope")]
    pub secrets_scope: SecretStoreProviderInfisicalSecretsScope,
}

/// Auth configures how the Operator authenticates with the Infisical API
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuth {
    /// AwsAuthCredentials represents the credentials for AWS authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "awsAuthCredentials")]
    pub aws_auth_credentials: Option<SecretStoreProviderInfisicalAuthAwsAuthCredentials>,
    /// AzureAuthCredentials represents the credentials for Azure authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "azureAuthCredentials")]
    pub azure_auth_credentials: Option<SecretStoreProviderInfisicalAuthAzureAuthCredentials>,
    /// GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "gcpIamAuthCredentials")]
    pub gcp_iam_auth_credentials: Option<SecretStoreProviderInfisicalAuthGcpIamAuthCredentials>,
    /// GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "gcpIdTokenAuthCredentials")]
    pub gcp_id_token_auth_credentials: Option<SecretStoreProviderInfisicalAuthGcpIdTokenAuthCredentials>,
    /// JwtAuthCredentials represents the credentials for JWT authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "jwtAuthCredentials")]
    pub jwt_auth_credentials: Option<SecretStoreProviderInfisicalAuthJwtAuthCredentials>,
    /// KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesAuthCredentials")]
    pub kubernetes_auth_credentials: Option<SecretStoreProviderInfisicalAuthKubernetesAuthCredentials>,
    /// LdapAuthCredentials represents the credentials for LDAP authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "ldapAuthCredentials")]
    pub ldap_auth_credentials: Option<SecretStoreProviderInfisicalAuthLdapAuthCredentials>,
    /// OciAuthCredentials represents the credentials for OCI authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "ociAuthCredentials")]
    pub oci_auth_credentials: Option<SecretStoreProviderInfisicalAuthOciAuthCredentials>,
    /// TokenAuthCredentials represents the credentials for access token-based authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenAuthCredentials")]
    pub token_auth_credentials: Option<SecretStoreProviderInfisicalAuthTokenAuthCredentials>,
    /// UniversalAuthCredentials represents the client credentials for universal authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "universalAuthCredentials")]
    pub universal_auth_credentials: Option<SecretStoreProviderInfisicalAuthUniversalAuthCredentials>,
}

/// AwsAuthCredentials represents the credentials for AWS authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthAwsAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthAwsAuthCredentialsIdentityId,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthAwsAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AzureAuthCredentials represents the credentials for Azure authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthAzureAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthAzureAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub resource: Option<SecretStoreProviderInfisicalAuthAzureAuthCredentialsResource>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthAzureAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthAzureAuthCredentialsResource {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthGcpIamAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthGcpIamAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "serviceAccountKeyFilePath")]
    pub service_account_key_file_path: SecretStoreProviderInfisicalAuthGcpIamAuthCredentialsServiceAccountKeyFilePath,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthGcpIamAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthGcpIamAuthCredentialsServiceAccountKeyFilePath {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthGcpIdTokenAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthGcpIdTokenAuthCredentialsIdentityId,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthGcpIdTokenAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// JwtAuthCredentials represents the credentials for JWT authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthJwtAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthJwtAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    pub jwt: SecretStoreProviderInfisicalAuthJwtAuthCredentialsJwt,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthJwtAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthJwtAuthCredentialsJwt {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthKubernetesAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthKubernetesAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountTokenPath")]
    pub service_account_token_path: Option<SecretStoreProviderInfisicalAuthKubernetesAuthCredentialsServiceAccountTokenPath>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthKubernetesAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthKubernetesAuthCredentialsServiceAccountTokenPath {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// LdapAuthCredentials represents the credentials for LDAP authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthLdapAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthLdapAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "ldapPassword")]
    pub ldap_password: SecretStoreProviderInfisicalAuthLdapAuthCredentialsLdapPassword,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "ldapUsername")]
    pub ldap_username: SecretStoreProviderInfisicalAuthLdapAuthCredentialsLdapUsername,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthLdapAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthLdapAuthCredentialsLdapPassword {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthLdapAuthCredentialsLdapUsername {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// OciAuthCredentials represents the credentials for OCI authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    pub fingerprint: SecretStoreProviderInfisicalAuthOciAuthCredentialsFingerprint,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "identityId")]
    pub identity_id: SecretStoreProviderInfisicalAuthOciAuthCredentialsIdentityId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "privateKey")]
    pub private_key: SecretStoreProviderInfisicalAuthOciAuthCredentialsPrivateKey,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "privateKeyPassphrase")]
    pub private_key_passphrase: Option<SecretStoreProviderInfisicalAuthOciAuthCredentialsPrivateKeyPassphrase>,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    pub region: SecretStoreProviderInfisicalAuthOciAuthCredentialsRegion,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "tenancyId")]
    pub tenancy_id: SecretStoreProviderInfisicalAuthOciAuthCredentialsTenancyId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "userId")]
    pub user_id: SecretStoreProviderInfisicalAuthOciAuthCredentialsUserId,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsFingerprint {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsIdentityId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsPrivateKey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsPrivateKeyPassphrase {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsRegion {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsTenancyId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthOciAuthCredentialsUserId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// TokenAuthCredentials represents the credentials for access token-based authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthTokenAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "accessToken")]
    pub access_token: SecretStoreProviderInfisicalAuthTokenAuthCredentialsAccessToken,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthTokenAuthCredentialsAccessToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// UniversalAuthCredentials represents the client credentials for universal authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthUniversalAuthCredentials {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "clientId")]
    pub client_id: SecretStoreProviderInfisicalAuthUniversalAuthCredentialsClientId,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "clientSecret")]
    pub client_secret: SecretStoreProviderInfisicalAuthUniversalAuthCredentialsClientSecret,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthUniversalAuthCredentialsClientId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalAuthUniversalAuthCredentialsClientSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
/// The certificate is used to validate the Infisical server's TLS certificate.
/// Mutually exclusive with CABundle.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderInfisicalCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderInfisicalCaProviderType,
}

/// CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
/// The certificate is used to validate the Infisical server's TLS certificate.
/// Mutually exclusive with CABundle.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderInfisicalCaProviderType {
    Secret,
    ConfigMap,
}

/// SecretsScope defines the scope of the secrets within the workspace
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderInfisicalSecretsScope {
    /// EnvironmentSlug is the required slug identifier for the environment.
    #[serde(rename = "environmentSlug")]
    pub environment_slug: String,
    /// ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "expandSecretReferences")]
    pub expand_secret_references: Option<bool>,
    /// ProjectSlug is the required slug identifier for the project.
    #[serde(rename = "projectSlug")]
    pub project_slug: String,
    /// Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub recursive: Option<bool>,
    /// SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretsPath")]
    pub secrets_path: Option<String>,
}

/// KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKeepersecurity {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "authRef")]
    pub auth_ref: SecretStoreProviderKeepersecurityAuthRef,
    #[serde(rename = "folderID")]
    pub folder_id: String,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKeepersecurityAuthRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetes {
    /// Auth configures how secret-manager authenticates with a Kubernetes instance.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderKubernetesAuth>,
    /// A reference to a secret that contains the auth information.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authRef")]
    pub auth_ref: Option<SecretStoreProviderKubernetesAuthRef>,
    /// Remote namespace to fetch the secrets from
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteNamespace")]
    pub remote_namespace: Option<String>,
    /// configures the Kubernetes server Address.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub server: Option<SecretStoreProviderKubernetesServer>,
}

/// Auth configures how secret-manager authenticates with a Kubernetes instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuth {
    /// has both clientCert and clientKey as secretKeySelector
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cert: Option<SecretStoreProviderKubernetesAuthCert>,
    /// points to a service account that should be used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccount")]
    pub service_account: Option<SecretStoreProviderKubernetesAuthServiceAccount>,
    /// use static token to authenticate with
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub token: Option<SecretStoreProviderKubernetesAuthToken>,
}

/// has both clientCert and clientKey as secretKeySelector
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCert {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCert")]
    pub client_cert: Option<SecretStoreProviderKubernetesAuthCertClientCert>,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientKey")]
    pub client_key: Option<SecretStoreProviderKubernetesAuthCertClientKey>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCertClientCert {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCertClientKey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// points to a service account that should be used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthServiceAccount {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// use static token to authenticate with
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthToken {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "bearerToken")]
    pub bearer_token: Option<SecretStoreProviderKubernetesAuthTokenBearerToken>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthTokenBearerToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// A reference to a secret that contains the auth information.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// configures the Kubernetes server Address.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesServer {
    /// CABundle is a base64-encoded CA certificate
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderKubernetesServerCaProvider>,
    /// configures the Kubernetes server Address.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
}

/// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderKubernetesServerCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderKubernetesServerCaProviderType,
}

/// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderKubernetesServerCaProviderType {
    Secret,
    ConfigMap,
}

/// Ngrok configures this store to sync secrets using the ngrok provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderNgrok {
    /// APIURL is the URL of the ngrok API.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiUrl")]
    pub api_url: Option<String>,
    /// Auth configures how the ngrok provider authenticates with the ngrok API.
    pub auth: SecretStoreProviderNgrokAuth,
    /// Vault configures the ngrok vault to sync secrets with.
    pub vault: SecretStoreProviderNgrokVault,
}

/// Auth configures how the ngrok provider authenticates with the ngrok API.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderNgrokAuth {
    /// APIKey is the API Key used to authenticate with ngrok. See <https://ngrok.com/docs/api/#authentication>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiKey")]
    pub api_key: Option<SecretStoreProviderNgrokAuthApiKey>,
}

/// APIKey is the API Key used to authenticate with ngrok. See <https://ngrok.com/docs/api/#authentication>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderNgrokAuthApiKey {
    /// SecretRef is a reference to a secret containing the ngrok API key.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderNgrokAuthApiKeySecretRef>,
}

/// SecretRef is a reference to a secret containing the ngrok API key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderNgrokAuthApiKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Vault configures the ngrok vault to sync secrets with.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderNgrokVault {
    /// Name is the name of the ngrok vault to sync secrets with.
    pub name: String,
}

/// Onboardbase configures this store to sync secrets using the Onboardbase provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnboardbase {
    /// APIHost use this to configure the host url for the API for selfhosted installation, default is <https://public.onboardbase.com/api/v1/>
    #[serde(rename = "apiHost")]
    pub api_host: String,
    /// Auth configures how the Operator authenticates with the Onboardbase API
    pub auth: SecretStoreProviderOnboardbaseAuth,
    /// Environment is the name of an environmnent within a project to pull the secrets from
    pub environment: String,
    /// Project is an onboardbase project that the secrets should be pulled from
    pub project: String,
}

/// Auth configures how the Operator authenticates with the Onboardbase API
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnboardbaseAuth {
    /// OnboardbaseAPIKey is the APIKey generated by an admin account.
    /// It is used to recognize and authorize access to a project and environment within onboardbase
    #[serde(rename = "apiKeyRef")]
    pub api_key_ref: SecretStoreProviderOnboardbaseAuthApiKeyRef,
    /// OnboardbasePasscode is the passcode attached to the API Key
    #[serde(rename = "passcodeRef")]
    pub passcode_ref: SecretStoreProviderOnboardbaseAuthPasscodeRef,
}

/// OnboardbaseAPIKey is the APIKey generated by an admin account.
/// It is used to recognize and authorize access to a project and environment within onboardbase
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnboardbaseAuthApiKeyRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// OnboardbasePasscode is the passcode attached to the API Key
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnboardbaseAuthPasscodeRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// OnePassword configures this store to sync secrets using the 1Password Cloud provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepassword {
    /// Auth defines the information necessary to authenticate against OnePassword Connect Server
    pub auth: SecretStoreProviderOnepasswordAuth,
    /// ConnectHost defines the OnePassword Connect Server to connect to
    #[serde(rename = "connectHost")]
    pub connect_host: String,
    /// Vaults defines which OnePassword vaults to search in which order
    pub vaults: BTreeMap<String, i64>,
}

/// Auth defines the information necessary to authenticate against OnePassword Connect Server
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordAuth {
    /// OnePasswordAuthSecretRef holds secret references for 1Password credentials.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderOnepasswordAuthSecretRef,
}

/// OnePasswordAuthSecretRef holds secret references for 1Password credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordAuthSecretRef {
    /// The ConnectToken is used for authentication to a 1Password Connect Server.
    #[serde(rename = "connectTokenSecretRef")]
    pub connect_token_secret_ref: SecretStoreProviderOnepasswordAuthSecretRefConnectTokenSecretRef,
}

/// The ConnectToken is used for authentication to a 1Password Connect Server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordAuthSecretRefConnectTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordSdk {
    /// Auth defines the information necessary to authenticate against OnePassword API.
    pub auth: SecretStoreProviderOnepasswordSdkAuth,
    /// Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
    /// When enabled, secrets are cached with the specified TTL.
    /// Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
    /// If omitted, caching is disabled (default).
    /// cache: {} is a valid option to set.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cache: Option<SecretStoreProviderOnepasswordSdkCache>,
    /// IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
    /// If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "integrationInfo")]
    pub integration_info: Option<SecretStoreProviderOnepasswordSdkIntegrationInfo>,
    /// Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
    pub vault: String,
}

/// Auth defines the information necessary to authenticate against OnePassword API.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordSdkAuth {
    /// ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
    #[serde(rename = "serviceAccountSecretRef")]
    pub service_account_secret_ref: SecretStoreProviderOnepasswordSdkAuthServiceAccountSecretRef,
}

/// ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordSdkAuthServiceAccountSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
/// When enabled, secrets are cached with the specified TTL.
/// Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
/// If omitted, caching is disabled (default).
/// cache: {} is a valid option to set.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordSdkCache {
    /// MaxSize is the maximum number of secrets to cache.
    /// When the cache is full, least-recently-used entries are evicted.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxSize")]
    pub max_size: Option<i64>,
    /// TTL is the time-to-live for cached secrets.
    /// Format: duration string (e.g., "5m", "1h", "30s")
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ttl: Option<String>,
}

/// IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
/// If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOnepasswordSdkIntegrationInfo {
    /// Name defaults to "1Password SDK".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// Version defaults to "v1.0.0".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}

/// Oracle configures this store to sync secrets using Oracle Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracle {
    /// Auth configures how secret-manager authenticates with the Oracle Vault.
    /// If empty, use the instance principal, otherwise the user credentials specified in Auth.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderOracleAuth>,
    /// Compartment is the vault compartment OCID.
    /// Required for PushSecret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub compartment: Option<String>,
    /// EncryptionKey is the OCID of the encryption key within the vault.
    /// Required for PushSecret
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "encryptionKey")]
    pub encryption_key: Option<String>,
    /// The type of principal to use for authentication. If left blank, the Auth struct will
    /// determine the principal type. This optional field must be specified if using
    /// workload identity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "principalType")]
    pub principal_type: Option<SecretStoreProviderOraclePrincipalType>,
    /// Region is the region where vault is located.
    pub region: String,
    /// ServiceAccountRef specified the service account
    /// that should be used when authenticating with WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderOracleServiceAccountRef>,
    /// Vault is the vault's OCID of the specific vault where secret is located.
    pub vault: String,
}

/// Auth configures how secret-manager authenticates with the Oracle Vault.
/// If empty, use the instance principal, otherwise the user credentials specified in Auth.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuth {
    /// SecretRef to pass through sensitive information.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderOracleAuthSecretRef,
    /// Tenancy is the tenancy OCID where user is located.
    pub tenancy: String,
    /// User is an access OCID specific to the account.
    pub user: String,
}

/// SecretRef to pass through sensitive information.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRef {
    /// Fingerprint is the fingerprint of the API private key.
    pub fingerprint: SecretStoreProviderOracleAuthSecretRefFingerprint,
    /// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
    pub privatekey: SecretStoreProviderOracleAuthSecretRefPrivatekey,
}

/// Fingerprint is the fingerprint of the API private key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRefFingerprint {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRefPrivatekey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Oracle configures this store to sync secrets using Oracle Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderOraclePrincipalType {
    #[serde(rename = "")]
    KopiumEmpty,
    UserPrincipal,
    InstancePrincipal,
    Workload,
}

/// ServiceAccountRef specified the service account
/// that should be used when authenticating with WorkloadIdentity.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// PassboltProvider provides access to Passbolt secrets manager.
/// See: <https://www.passbolt.com.>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassbolt {
    /// Auth defines the information necessary to authenticate against Passbolt Server
    pub auth: SecretStoreProviderPassboltAuth,
    /// Host defines the Passbolt Server to connect to
    pub host: String,
}

/// Auth defines the information necessary to authenticate against Passbolt Server
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassboltAuth {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "passwordSecretRef")]
    pub password_secret_ref: SecretStoreProviderPassboltAuthPasswordSecretRef,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "privateKeySecretRef")]
    pub private_key_secret_ref: SecretStoreProviderPassboltAuthPrivateKeySecretRef,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassboltAuthPasswordSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassboltAuthPrivateKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepot {
    /// Auth configures how secret-manager authenticates with a Password Depot instance.
    pub auth: SecretStoreProviderPassworddepotAuth,
    /// Database to use as source
    pub database: String,
    /// URL configures the Password Depot instance URL.
    pub host: String,
}

/// Auth configures how secret-manager authenticates with a Password Depot instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuth {
    /// PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderPassworddepotAuthSecretRef,
}

/// PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuthSecretRef {
    /// Username / Password is used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub credentials: Option<SecretStoreProviderPassworddepotAuthSecretRefCredentials>,
}

/// Username / Password is used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuthSecretRefCredentials {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Previder configures this store to sync secrets using the Previder provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPrevider {
    /// PreviderAuth contains a secretRef for credentials.
    pub auth: SecretStoreProviderPreviderAuth,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "baseUri")]
    pub base_uri: Option<String>,
}

/// PreviderAuth contains a secretRef for credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPreviderAuth {
    /// PreviderAuthSecretRef holds secret references for Previder Vault credentials.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderPreviderAuthSecretRef>,
}

/// PreviderAuthSecretRef holds secret references for Previder Vault credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPreviderAuthSecretRef {
    /// The AccessToken is used for authentication
    #[serde(rename = "accessToken")]
    pub access_token: SecretStoreProviderPreviderAuthSecretRefAccessToken,
}

/// The AccessToken is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPreviderAuthSecretRefAccessToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Pulumi configures this store to sync secrets using the Pulumi provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPulumi {
    /// AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
    #[serde(rename = "accessToken")]
    pub access_token: SecretStoreProviderPulumiAccessToken,
    /// APIURL is the URL of the Pulumi API.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiUrl")]
    pub api_url: Option<String>,
    /// Environment are YAML documents composed of static key-value pairs, programmatic expressions,
    /// dynamically retrieved values from supported providers including all major clouds,
    /// and other Pulumi ESC environments.
    /// To create a new environment, visit <https://www.pulumi.com/docs/esc/environments/> for more information.
    pub environment: String,
    /// Organization are a space to collaborate on shared projects and stacks.
    /// To create a new organization, visit <https://app.pulumi.com/> and click "New Organization".
    pub organization: String,
    /// Project is the name of the Pulumi ESC project the environment belongs to.
    pub project: String,
}

/// AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPulumiAccessToken {
    /// SecretRef is a reference to a secret containing the Pulumi API token.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderPulumiAccessTokenSecretRef>,
}

/// SecretRef is a reference to a secret containing the Pulumi API token.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPulumiAccessTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Scaleway configures this store to sync secrets using the Scaleway provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderScaleway {
    /// AccessKey is the non-secret part of the api key.
    #[serde(rename = "accessKey")]
    pub access_key: SecretStoreProviderScalewayAccessKey,
    /// APIURL is the url of the api to use. Defaults to <https://api.scaleway.com>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiUrl")]
    pub api_url: Option<String>,
    /// ProjectID is the id of your project, which you can find in the console: <https://console.scaleway.com/project/settings>
    #[serde(rename = "projectId")]
    pub project_id: String,
    /// Region where your secrets are located: <https://developers.scaleway.com/en/quickstart/#region-and-zone>
    pub region: String,
    /// SecretKey is the non-secret part of the api key.
    #[serde(rename = "secretKey")]
    pub secret_key: SecretStoreProviderScalewaySecretKey,
}

/// AccessKey is the non-secret part of the api key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderScalewayAccessKey {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderScalewayAccessKeySecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderScalewayAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKey is the non-secret part of the api key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderScalewaySecretKey {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderScalewaySecretKeySecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderScalewaySecretKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretServer configures this store to sync secrets using SecretServer provider
/// <https://docs.delinea.com/online-help/secret-server/start.htm>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSecretserver {
    /// PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
    /// if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate Secret ServerURL certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderSecretserverCaProvider>,
    /// Domain is the secret server domain.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    /// Password is the secret server account password.
    pub password: SecretStoreProviderSecretserverPassword,
    /// ServerURL
    /// URL to your secret server installation
    #[serde(rename = "serverURL")]
    pub server_url: String,
    /// Username is the secret server account username.
    pub username: SecretStoreProviderSecretserverUsername,
}

/// The provider for the CA bundle to use to validate Secret ServerURL certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderSecretserverCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderSecretserverCaProviderType,
}

/// The provider for the CA bundle to use to validate Secret ServerURL certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderSecretserverCaProviderType {
    Secret,
    ConfigMap,
}

/// Password is the secret server account password.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSecretserverPassword {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderSecretserverPasswordSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSecretserverPasswordSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Username is the secret server account username.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSecretserverUsername {
    /// SecretRef references a key in a secret that will be used as value.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderSecretserverUsernameSecretRef>,
    /// Value can be specified directly to set a value without using a secret.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}

/// SecretRef references a key in a secret that will be used as value.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSecretserverUsernameSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Senhasegura configures this store to sync secrets using senhasegura provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSenhasegura {
    /// Auth defines parameters to authenticate in senhasegura
    pub auth: SecretStoreProviderSenhaseguraAuth,
    /// IgnoreSslCertificate defines if SSL certificate must be ignored
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreSslCertificate")]
    pub ignore_ssl_certificate: Option<bool>,
    /// Module defines which senhasegura module should be used to get secrets
    pub module: String,
    /// URL of senhasegura
    pub url: String,
}

/// Auth defines parameters to authenticate in senhasegura
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSenhaseguraAuth {
    #[serde(rename = "clientId")]
    pub client_id: String,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "clientSecretSecretRef")]
    pub client_secret_secret_ref: SecretStoreProviderSenhaseguraAuthClientSecretSecretRef,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderSenhaseguraAuthClientSecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Vault configures this store to sync secrets using the HashiCorp Vault provider.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVault {
    /// Auth configures how secret-manager authenticates with the Vault server.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderVaultAuth>,
    /// PEM encoded CA bundle used to validate Vault server certificate. Only used
    /// if the Server URL is using HTTPS protocol. This parameter is ignored for
    /// plain HTTP protocol connection. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate Vault server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderVaultCaProvider>,
    /// CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
    /// Only applies to Vault KV v2 stores. When enabled, write operations must include
    /// the current version of the secret to prevent unintentional overwrites.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "checkAndSet")]
    pub check_and_set: Option<SecretStoreProviderVaultCheckAndSet>,
    /// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
    /// leader instead of simply retrying within a loop. This can increase performance if
    /// the option is enabled serverside.
    /// <https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "forwardInconsistent")]
    pub forward_inconsistent: Option<bool>,
    /// Headers to be added in Vault request
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub headers: Option<BTreeMap<String, String>>,
    /// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
    /// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
    /// More about namespaces can be found here <https://www.vaultproject.io/docs/enterprise/namespaces>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// Path is the mount path of the Vault KV backend endpoint, e.g:
    /// "secret". The v2 KV secret engine version specific "/data" path suffix
    /// for fetching secrets from Vault is optional and will be appended
    /// if not present in specified path.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    /// ReadYourWrites ensures isolated read-after-write semantics by
    /// providing discovered cluster replication states in each request.
    /// More information about eventual consistency in Vault can be found here
    /// <https://www.vaultproject.io/docs/enterprise/consistency>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "readYourWrites")]
    pub read_your_writes: Option<bool>,
    /// Server is the connection address for the Vault server, e.g: "<https://vault.example.com:8200".>
    pub server: String,
    /// The configuration used for client side related TLS communication, when the Vault server
    /// requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
    /// This parameter is ignored for plain HTTP protocol connection.
    /// It's worth noting this configuration is different from the "TLS certificates auth method",
    /// which is available under the `auth.cert` section.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub tls: Option<SecretStoreProviderVaultTls>,
    /// Version is the Vault KV secret engine version. This can be either "v1" or
    /// "v2". Version defaults to "v2".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<SecretStoreProviderVaultVersion>,
}

/// Auth configures how secret-manager authenticates with the Vault server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuth {
    /// AppRole authenticates with Vault using the App Role auth mechanism,
    /// with the role and secret stored in a Kubernetes Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "appRole")]
    pub app_role: Option<SecretStoreProviderVaultAuthAppRole>,
    /// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
    /// Cert authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cert: Option<SecretStoreProviderVaultAuthCert>,
    /// Gcp authenticates with Vault using Google Cloud Platform authentication method
    /// GCP authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gcp: Option<SecretStoreProviderVaultAuthGcp>,
    /// Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
    /// AWS IAM authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub iam: Option<SecretStoreProviderVaultAuthIam>,
    /// Jwt authenticates with Vault by passing role and JWT token using the
    /// JWT/OIDC authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderVaultAuthJwt>,
    /// Kubernetes authenticates with Vault by passing the ServiceAccount
    /// token stored in the named Secret resource to the Vault server.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kubernetes: Option<SecretStoreProviderVaultAuthKubernetes>,
    /// Ldap authenticates with Vault by passing username/password pair using
    /// the LDAP authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ldap: Option<SecretStoreProviderVaultAuthLdap>,
    /// Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
    /// Namespaces is a set of features within Vault Enterprise that allows
    /// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
    /// More about namespaces can be found here <https://www.vaultproject.io/docs/enterprise/namespaces>
    /// This will default to Vault.Namespace field if set, or empty otherwise
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// TokenSecretRef authenticates with Vault by presenting a token.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenSecretRef")]
    pub token_secret_ref: Option<SecretStoreProviderVaultAuthTokenSecretRef>,
    /// UserPass authenticates with Vault by passing username/password pair
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "userPass")]
    pub user_pass: Option<SecretStoreProviderVaultAuthUserPass>,
}

/// AppRole authenticates with Vault using the App Role auth mechanism,
/// with the role and secret stored in a Kubernetes Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthAppRole {
    /// Path where the App Role authentication backend is mounted
    /// in Vault, e.g: "approle"
    pub path: String,
    /// RoleID configured in the App Role authentication backend when setting
    /// up the authentication backend in Vault.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "roleId")]
    pub role_id: Option<String>,
    /// Reference to a key in a Secret that contains the App Role ID used
    /// to authenticate with Vault.
    /// The `key` field must be specified and denotes which entry within the Secret
    /// resource is used as the app role id.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "roleRef")]
    pub role_ref: Option<SecretStoreProviderVaultAuthAppRoleRoleRef>,
    /// Reference to a key in a Secret that contains the App Role secret used
    /// to authenticate with Vault.
    /// The `key` field must be specified and denotes which entry within the Secret
    /// resource is used as the app role secret.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderVaultAuthAppRoleSecretRef,
}

/// Reference to a key in a Secret that contains the App Role ID used
/// to authenticate with Vault.
/// The `key` field must be specified and denotes which entry within the Secret
/// resource is used as the app role id.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthAppRoleRoleRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Reference to a key in a Secret that contains the App Role secret used
/// to authenticate with Vault.
/// The `key` field must be specified and denotes which entry within the Secret
/// resource is used as the app role secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthAppRoleSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
/// Cert authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCert {
    /// ClientCert is a certificate to authenticate using the Cert Vault
    /// authentication method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCert")]
    pub client_cert: Option<SecretStoreProviderVaultAuthCertClientCert>,
    /// Path where the Certificate authentication backend is mounted
    /// in Vault, e.g: "cert"
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    /// SecretRef to a key in a Secret resource containing client private key to
    /// authenticate with Vault using the Cert authentication method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthCertSecretRef>,
}

/// ClientCert is a certificate to authenticate using the Cert Vault
/// authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCertClientCert {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretRef to a key in a Secret resource containing client private key to
/// authenticate with Vault using the Cert authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Gcp authenticates with Vault using Google Cloud Platform authentication method
/// GCP authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcp {
    /// Location optionally defines a location/region for the secret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub location: Option<String>,
    /// Path where the GCP auth method is enabled in Vault, e.g: "gcp"
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    /// Project ID of the Google Cloud Platform project
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
    /// Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
    pub role: String,
    /// Specify credentials in a Secret object
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthGcpSecretRef>,
    /// ServiceAccountRef to a service account for impersonation
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderVaultAuthGcpServiceAccountRef>,
    /// Specify a service account with Workload Identity
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "workloadIdentity")]
    pub workload_identity: Option<SecretStoreProviderVaultAuthGcpWorkloadIdentity>,
}

/// Specify credentials in a Secret object
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcpSecretRef {
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// ServiceAccountRef to a service account for impersonation
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcpServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Specify a service account with Workload Identity
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcpWorkloadIdentity {
    /// ClusterLocation is the location of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterLocation")]
    pub cluster_location: Option<String>,
    /// ClusterName is the name of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterName")]
    pub cluster_name: Option<String>,
    /// ClusterProjectID is the project ID of the cluster
    /// If not specified, it fetches information from the metadata server
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterProjectID")]
    pub cluster_project_id: Option<String>,
    /// ServiceAccountSelector is a reference to a ServiceAccount resource.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderVaultAuthGcpWorkloadIdentityServiceAccountRef,
}

/// ServiceAccountSelector is a reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthGcpWorkloadIdentityServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
/// AWS IAM authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIam {
    /// AWS External ID set on assumed IAM roles
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalID")]
    pub external_id: Option<String>,
    /// Specify a service account with IRSA enabled
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderVaultAuthIamJwt>,
    /// Path where the AWS auth method is enabled in Vault, e.g: "aws"
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    /// AWS region
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    /// This is the AWS role to be assumed before talking to vault
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    /// Specify credentials in a Secret object
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthIamSecretRef>,
    /// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: <https://developer.hashicorp.com/vault/docs/auth/aws>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "vaultAwsIamServerID")]
    pub vault_aws_iam_server_id: Option<String>,
    /// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
    #[serde(rename = "vaultRole")]
    pub vault_role: String,
}

/// Specify a service account with IRSA enabled
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamJwt {
    /// ServiceAccountSelector is a reference to a ServiceAccount resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderVaultAuthIamJwtServiceAccountRef>,
}

/// ServiceAccountSelector is a reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamJwtServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Specify credentials in a Secret object
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: Option<SecretStoreProviderVaultAuthIamSecretRefAccessKeyIdSecretRef>,
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderVaultAuthIamSecretRefSecretAccessKeySecretRef>,
    /// The SessionToken used for authentication
    /// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
    /// see: <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "sessionTokenSecretRef")]
    pub session_token_secret_ref: Option<SecretStoreProviderVaultAuthIamSecretRefSessionTokenSecretRef>,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The SessionToken used for authentication
/// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
/// see: <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthIamSecretRefSessionTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Jwt authenticates with Vault by passing role and JWT token using the
/// JWT/OIDC authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwt {
    /// Optional ServiceAccountToken specifies the Kubernetes service account for which to request
    /// a token for with the `TokenRequest` API.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesServiceAccountToken")]
    pub kubernetes_service_account_token: Option<SecretStoreProviderVaultAuthJwtKubernetesServiceAccountToken>,
    /// Path where the JWT authentication backend is mounted
    /// in Vault, e.g: "jwt"
    pub path: String,
    /// Role is a JWT role to authenticate using the JWT/OIDC Vault
    /// authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    /// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
    /// authenticate with Vault using the JWT/OIDC authentication method.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthJwtSecretRef>,
}

/// Optional ServiceAccountToken specifies the Kubernetes service account for which to request
/// a token for with the `TokenRequest` API.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtKubernetesServiceAccountToken {
    /// Optional audiences field that will be used to request a temporary Kubernetes service
    /// account token for the service account referenced by `serviceAccountRef`.
    /// Defaults to a single audience `vault` it not specified.
    /// Deprecated: use serviceAccountRef.Audiences instead
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// Optional expiration time in seconds that will be used to request a temporary
    /// Kubernetes service account token for the service account referenced by
    /// `serviceAccountRef`.
    /// Deprecated: this will be removed in the future.
    /// Defaults to 10 minutes.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "expirationSeconds")]
    pub expiration_seconds: Option<i64>,
    /// Service account field containing the name of a kubernetes ServiceAccount.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderVaultAuthJwtKubernetesServiceAccountTokenServiceAccountRef,
}

/// Service account field containing the name of a kubernetes ServiceAccount.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtKubernetesServiceAccountTokenServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
/// authenticate with Vault using the JWT/OIDC authentication method.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Kubernetes authenticates with Vault by passing the ServiceAccount
/// token stored in the named Secret resource to the Vault server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetes {
    /// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
    /// "kubernetes"
    #[serde(rename = "mountPath")]
    pub mount_path: String,
    /// A required field containing the Vault Role to assume. A Role binds a
    /// Kubernetes ServiceAccount with a set of Vault policies.
    pub role: String,
    /// Optional secret field containing a Kubernetes ServiceAccount JWT used
    /// for authenticating with Vault. If a name is specified without a key,
    /// `token` is the default. If one is not specified, the one bound to
    /// the controller will be used.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthKubernetesSecretRef>,
    /// Optional service account field containing the name of a kubernetes ServiceAccount.
    /// If the service account is specified, the service account secret token JWT will be used
    /// for authenticating with Vault. If the service account selector is not supplied,
    /// the secretRef will be used instead.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderVaultAuthKubernetesServiceAccountRef>,
}

/// Optional secret field containing a Kubernetes ServiceAccount JWT used
/// for authenticating with Vault. If a name is specified without a key,
/// `token` is the default. If one is not specified, the one bound to
/// the controller will be used.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetesSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional service account field containing the name of a kubernetes ServiceAccount.
/// If the service account is specified, the service account secret token JWT will be used
/// for authenticating with Vault. If the service account selector is not supplied,
/// the secretRef will be used instead.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetesServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Ldap authenticates with Vault by passing username/password pair using
/// the LDAP authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthLdap {
    /// Path where the LDAP authentication backend is mounted
    /// in Vault, e.g: "ldap"
    pub path: String,
    /// SecretRef to a key in a Secret resource containing password for the LDAP
    /// user used to authenticate with Vault using the LDAP authentication
    /// method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthLdapSecretRef>,
    /// Username is an LDAP username used to authenticate using the LDAP Vault
    /// authentication method
    pub username: String,
}

/// SecretRef to a key in a Secret resource containing password for the LDAP
/// user used to authenticate with Vault using the LDAP authentication
/// method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthLdapSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// TokenSecretRef authenticates with Vault by presenting a token.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// UserPass authenticates with Vault by passing username/password pair
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthUserPass {
    /// Path where the UserPassword authentication backend is mounted
    /// in Vault, e.g: "userpass"
    pub path: String,
    /// SecretRef to a key in a Secret resource containing password for the
    /// user used to authenticate with Vault using the UserPass authentication
    /// method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthUserPassSecretRef>,
    /// Username is a username used to authenticate using the UserPass Vault
    /// authentication method
    pub username: String,
}

/// SecretRef to a key in a Secret resource containing password for the
/// user used to authenticate with Vault using the UserPass authentication
/// method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthUserPassSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Vault server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderVaultCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    /// Can only be defined when used in a ClusterSecretStore.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderVaultCaProviderType,
}

/// The provider for the CA bundle to use to validate Vault server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderVaultCaProviderType {
    Secret,
    ConfigMap,
}

/// CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
/// Only applies to Vault KV v2 stores. When enabled, write operations must include
/// the current version of the secret to prevent unintentional overwrites.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultCheckAndSet {
    /// Required when true, all write operations must include a check-and-set parameter.
    /// This helps prevent unintentional overwrites of secrets.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub required: Option<bool>,
}

/// The configuration used for client side related TLS communication, when the Vault server
/// requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
/// This parameter is ignored for plain HTTP protocol connection.
/// It's worth noting this configuration is different from the "TLS certificates auth method",
/// which is available under the `auth.cert` section.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultTls {
    /// CertSecretRef is a certificate added to the transport layer
    /// when communicating with the Vault server.
    /// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "certSecretRef")]
    pub cert_secret_ref: Option<SecretStoreProviderVaultTlsCertSecretRef>,
    /// KeySecretRef to a key in a Secret resource containing client private key
    /// added to the transport layer when communicating with the Vault server.
    /// If no key for the Secret is specified, external-secret will default to 'tls.key'.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "keySecretRef")]
    pub key_secret_ref: Option<SecretStoreProviderVaultTlsKeySecretRef>,
}

/// CertSecretRef is a certificate added to the transport layer
/// when communicating with the Vault server.
/// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultTlsCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// KeySecretRef to a key in a Secret resource containing client private key
/// added to the transport layer when communicating with the Vault server.
/// If no key for the Secret is specified, external-secret will default to 'tls.key'.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultTlsKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Vault configures this store to sync secrets using the HashiCorp Vault provider.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderVaultVersion {
    #[serde(rename = "v1")]
    V1,
    #[serde(rename = "v2")]
    V2,
}

/// Volcengine configures this store to sync secrets using the Volcengine provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengine {
    /// Auth defines the authentication method to use.
    /// If not specified, the provider will try to use IRSA (IAM Role for Service Account).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderVolcengineAuth>,
    /// Region specifies the Volcengine region to connect to.
    pub region: String,
}

/// Auth defines the authentication method to use.
/// If not specified, the provider will try to use IRSA (IAM Role for Service Account).
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengineAuth {
    /// SecretRef defines the static credentials to use for authentication.
    /// If not set, IRSA is used.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVolcengineAuthSecretRef>,
}

/// SecretRef defines the static credentials to use for authentication.
/// If not set, IRSA is used.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengineAuthSecretRef {
    /// AccessKeyID is the reference to the secret containing the Access Key ID.
    #[serde(rename = "accessKeyID")]
    pub access_key_id: SecretStoreProviderVolcengineAuthSecretRefAccessKeyId,
    /// SecretAccessKey is the reference to the secret containing the Secret Access Key.
    #[serde(rename = "secretAccessKey")]
    pub secret_access_key: SecretStoreProviderVolcengineAuthSecretRefSecretAccessKey,
    /// Token is the reference to the secret containing the STS(Security Token Service) Token.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub token: Option<SecretStoreProviderVolcengineAuthSecretRefToken>,
}

/// AccessKeyID is the reference to the secret containing the Access Key ID.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengineAuthSecretRefAccessKeyId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretAccessKey is the reference to the secret containing the Secret Access Key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengineAuthSecretRefSecretAccessKey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Token is the reference to the secret containing the STS(Security Token Service) Token.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVolcengineAuthSecretRefToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Webhook configures this store to sync secrets using a generic templated webhook
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhook {
    /// Auth specifies a authorization protocol. Only one protocol may be set.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderWebhookAuth>,
    /// Body
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub body: Option<String>,
    /// PEM encoded CA bundle used to validate webhook server certificate. Only used
    /// if the Server URL is using HTTPS protocol. This parameter is ignored for
    /// plain HTTP protocol connection. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate webhook server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderWebhookCaProvider>,
    /// Headers
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub headers: Option<BTreeMap<String, String>>,
    /// Webhook Method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub method: Option<String>,
    /// Result formatting
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub result: Option<SecretStoreProviderWebhookResult>,
    /// Secrets to fill in templates
    /// These secrets will be passed to the templating function as key value pairs under the given name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secrets: Option<Vec<SecretStoreProviderWebhookSecrets>>,
    /// Timeout
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub timeout: Option<String>,
    /// Webhook url to call
    pub url: String,
}

/// Auth specifies a authorization protocol. Only one protocol may be set.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookAuth {
    /// NTLMProtocol configures the store to use NTLM for auth
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ntlm: Option<SecretStoreProviderWebhookAuthNtlm>,
}

/// NTLMProtocol configures the store to use NTLM for auth
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookAuthNtlm {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "passwordSecret")]
    pub password_secret: SecretStoreProviderWebhookAuthNtlmPasswordSecret,
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(rename = "usernameSecret")]
    pub username_secret: SecretStoreProviderWebhookAuthNtlmUsernameSecret,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookAuthNtlmPasswordSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookAuthNtlmUsernameSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate webhook server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderWebhookCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderWebhookCaProviderType,
}

/// The provider for the CA bundle to use to validate webhook server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderWebhookCaProviderType {
    Secret,
    ConfigMap,
}

/// Result formatting
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookResult {
    /// Json path of return value
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "jsonPath")]
    pub json_path: Option<String>,
}

/// WebhookSecret defines a secret that will be passed to the webhook request.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookSecrets {
    /// Name of this secret in templates
    pub name: String,
    /// Secret ref to fill in credentials
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderWebhookSecretsSecretRef,
}

/// Secret ref to fill in credentials
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookSecretsSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanager {
    /// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiEndpoint")]
    pub api_endpoint: Option<String>,
    /// Auth defines the information necessary to authenticate against Yandex.Cloud
    pub auth: SecretStoreProviderYandexcertificatemanagerAuth,
    /// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderYandexcertificatemanagerCaProvider>,
    /// FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub fetching: Option<SecretStoreProviderYandexcertificatemanagerFetching>,
}

/// Auth defines the information necessary to authenticate against Yandex.Cloud
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerAuth {
    /// The authorized key used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizedKeySecretRef")]
    pub authorized_key_secret_ref: Option<SecretStoreProviderYandexcertificatemanagerAuthAuthorizedKeySecretRef>,
}

/// The authorized key used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerAuthAuthorizedKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerCaProvider {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "certSecretRef")]
    pub cert_secret_ref: Option<SecretStoreProviderYandexcertificatemanagerCaProviderCertSecretRef>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerCaProviderCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerFetching {
    /// ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "byID")]
    pub by_id: Option<SecretStoreProviderYandexcertificatemanagerFetchingById>,
    /// ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "byName")]
    pub by_name: Option<SecretStoreProviderYandexcertificatemanagerFetchingByName>,
}

/// ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerFetchingById {
}

/// ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexcertificatemanagerFetchingByName {
    /// The folder to fetch secrets from
    #[serde(rename = "folderID")]
    pub folder_id: String,
}

/// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockbox {
    /// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiEndpoint")]
    pub api_endpoint: Option<String>,
    /// Auth defines the information necessary to authenticate against Yandex.Cloud
    pub auth: SecretStoreProviderYandexlockboxAuth,
    /// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderYandexlockboxCaProvider>,
    /// FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub fetching: Option<SecretStoreProviderYandexlockboxFetching>,
}

/// Auth defines the information necessary to authenticate against Yandex.Cloud
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxAuth {
    /// The authorized key used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizedKeySecretRef")]
    pub authorized_key_secret_ref: Option<SecretStoreProviderYandexlockboxAuthAuthorizedKeySecretRef>,
}

/// The authorized key used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxAuthAuthorizedKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxCaProvider {
    /// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "certSecretRef")]
    pub cert_secret_ref: Option<SecretStoreProviderYandexlockboxCaProviderCertSecretRef>,
}

/// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxCaProviderCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxFetching {
    /// ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "byID")]
    pub by_id: Option<SecretStoreProviderYandexlockboxFetchingById>,
    /// ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "byName")]
    pub by_name: Option<SecretStoreProviderYandexlockboxFetchingByName>,
}

/// ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxFetchingById {
}

/// ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxFetchingByName {
    /// The folder to fetch secrets from
    #[serde(rename = "folderID")]
    pub folder_id: String,
}

/// Used to configure HTTP retries on failures.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreRetrySettings {
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRetries")]
    pub max_retries: Option<i32>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "retryInterval")]
    pub retry_interval: Option<String>,
}

/// SecretStoreStatus defines the observed state of the SecretStore.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreStatus {
    /// SecretStoreCapabilities defines the possible operations a SecretStore can do.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub capabilities: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub conditions: Option<Vec<Condition>>,
}