kcr_external_secrets_io 3.20260124.94613

// WARNING: generated by kopium - manual changes will be overwritten
// kopium command: kopium --docs --derive=Default --derive=PartialEq --smart-derive-elision --filename crd-catalog/external-secrets/external-secrets/external-secrets.io/v1alpha1/secretstores.yaml
// kopium version: 0.22.5

#[allow(unused_imports)]
mod prelude {
    pub use kube::CustomResource;
    pub use serde::{Serialize, Deserialize};
    pub use std::collections::BTreeMap;
    pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
}
use self::prelude::*;

/// SecretStoreSpec defines the desired state of SecretStore.
#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
#[kube(group = "external-secrets.io", version = "v1alpha1", kind = "SecretStore", plural = "secretstores")]
#[kube(namespaced)]
#[kube(status = "SecretStoreStatus")]
#[kube(schema = "disabled")]
#[kube(derive="Default")]
#[kube(derive="PartialEq")]
pub struct SecretStoreSpec {
    /// Used to select the correct ESO controller (think: ingress.ingressClassName)
    /// The ESO controller is instantiated with a specific controller name and filters ES based on this property
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub controller: Option<String>,
    /// Used to configure the provider. Only one provider may be set
    pub provider: SecretStoreProvider,
    /// Used to configure http retries if failed
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "retrySettings")]
    pub retry_settings: Option<SecretStoreRetrySettings>,
}

/// Used to configure the provider. Only one provider may be set
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProvider {
    /// Akeyless configures this store to sync secrets using Akeyless Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub akeyless: Option<SecretStoreProviderAkeyless>,
    /// Alibaba configures this store to sync secrets using Alibaba Cloud provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub alibaba: Option<SecretStoreProviderAlibaba>,
    /// AWS configures this store to sync secrets using AWS Secret Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub aws: Option<SecretStoreProviderAws>,
    /// AzureKV configures this store to sync secrets using Azure Key Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub azurekv: Option<SecretStoreProviderAzurekv>,
    /// Fake configures a store with static key/value pairs
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub fake: Option<SecretStoreProviderFake>,
    /// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gcpsm: Option<SecretStoreProviderGcpsm>,
    /// GitLab configures this store to sync secrets using GitLab Variables provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gitlab: Option<SecretStoreProviderGitlab>,
    /// IBM configures this store to sync secrets using IBM Cloud provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ibm: Option<SecretStoreProviderIbm>,
    /// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kubernetes: Option<SecretStoreProviderKubernetes>,
    /// Oracle configures this store to sync secrets using Oracle Vault provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub oracle: Option<SecretStoreProviderOracle>,
    /// Configures a store to sync secrets with a Password Depot instance.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub passworddepot: Option<SecretStoreProviderPassworddepot>,
    /// Vault configures this store to sync secrets using Hashi provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub vault: Option<SecretStoreProviderVault>,
    /// Webhook configures this store to sync secrets using a generic templated webhook
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub webhook: Option<SecretStoreProviderWebhook>,
    /// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub yandexlockbox: Option<SecretStoreProviderYandexlockbox>,
}

/// Akeyless configures this store to sync secrets using Akeyless Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeyless {
    /// Akeyless GW API Url from which the secrets to be fetched from.
    #[serde(rename = "akeylessGWApiURL")]
    pub akeyless_gw_api_url: String,
    /// Auth configures how the operator authenticates with Akeyless.
    #[serde(rename = "authSecretRef")]
    pub auth_secret_ref: SecretStoreProviderAkeylessAuthSecretRef,
    /// PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
    /// if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderAkeylessCaProvider>,
}

/// Auth configures how the operator authenticates with Akeyless.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRef {
    /// Kubernetes authenticates with Akeyless by passing the ServiceAccount
    /// token stored in the named Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesAuth")]
    pub kubernetes_auth: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuth>,
    /// Reference to a Secret that contains the details
    /// to authenticate with Akeyless.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRef>,
}

/// Kubernetes authenticates with Akeyless by passing the ServiceAccount
/// token stored in the named Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuth {
    /// the Akeyless Kubernetes auth-method access-id
    #[serde(rename = "accessID")]
    pub access_id: String,
    /// Kubernetes-auth configuration name in Akeyless-Gateway
    #[serde(rename = "k8sConfName")]
    pub k8s_conf_name: String,
    /// Optional secret field containing a Kubernetes ServiceAccount JWT used
    /// for authenticating with Akeyless. If a name is specified without a key,
    /// `token` is the default. If one is not specified, the one bound to
    /// the controller will be used.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthSecretRef>,
    /// Optional service account field containing the name of a kubernetes ServiceAccount.
    /// If the service account is specified, the service account secret token JWT will be used
    /// for authenticating with Akeyless. If the service account selector is not supplied,
    /// the secretRef will be used instead.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthServiceAccountRef>,
}

/// Optional secret field containing a Kubernetes ServiceAccount JWT used
/// for authenticating with Akeyless. If a name is specified without a key,
/// `token` is the default. If one is not specified, the one bound to
/// the controller will be used.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional service account field containing the name of a kubernetes ServiceAccount.
/// If the service account is specified, the service account secret token JWT will be used
/// for authenticating with Akeyless. If the service account selector is not supplied,
/// the secretRef will be used instead.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefKubernetesAuthServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Reference to a Secret that contains the details
/// to authenticate with Akeyless.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRef {
    /// The SecretAccessID is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessID")]
    pub access_id: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessId>,
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessType")]
    pub access_type: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessType>,
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessTypeParam")]
    pub access_type_param: Option<SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessTypeParam>,
}

/// The SecretAccessID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessType {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAkeylessAuthSecretRefSecretRefAccessTypeParam {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderAkeylessCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderAkeylessCaProviderType,
}

/// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAkeylessCaProviderType {
    Secret,
    ConfigMap,
}

/// Alibaba configures this store to sync secrets using Alibaba Cloud provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibaba {
    /// AlibabaAuth contains a secretRef for credentials.
    pub auth: SecretStoreProviderAlibabaAuth,
    /// Alibaba Region to be used for the provider
    #[serde(rename = "regionID")]
    pub region_id: String,
}

/// AlibabaAuth contains a secretRef for credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuth {
    /// Authenticate against Alibaba using RRSA.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub rrsa: Option<SecretStoreProviderAlibabaAuthRrsa>,
    /// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAlibabaAuthSecretRef>,
}

/// Authenticate against Alibaba using RRSA.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthRrsa {
    #[serde(rename = "oidcProviderArn")]
    pub oidc_provider_arn: String,
    #[serde(rename = "oidcTokenFilePath")]
    pub oidc_token_file_path: String,
    #[serde(rename = "roleArn")]
    pub role_arn: String,
    #[serde(rename = "sessionName")]
    pub session_name: String,
}

/// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: SecretStoreProviderAlibabaAuthSecretRefAccessKeyIdSecretRef,
    /// The AccessKeySecret is used for authentication
    #[serde(rename = "accessKeySecretSecretRef")]
    pub access_key_secret_secret_ref: SecretStoreProviderAlibabaAuthSecretRefAccessKeySecretSecretRef,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The AccessKeySecret is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAlibabaAuthSecretRefAccessKeySecretSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AWS configures this store to sync secrets using AWS Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderAws {
    /// Auth defines the information necessary to authenticate against AWS
    /// if not set aws sdk will infer credentials from your environment
    /// see: <https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderAwsAuth>,
    /// AWS Region to be used for the provider
    pub region: String,
    /// Role is a Role ARN which the SecretManager provider will assume
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    /// Service defines which service should be used to fetch the secrets
    pub service: SecretStoreProviderAwsService,
}

/// Auth defines the information necessary to authenticate against AWS
/// if not set aws sdk will infer credentials from your environment
/// see: <https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials>
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuth {
    /// Authenticate against AWS using service account tokens.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderAwsAuthJwt>,
    /// AWSAuthSecretRef holds secret references for AWS credentials
    /// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderAwsAuthSecretRef>,
}

/// Authenticate against AWS using service account tokens.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthJwt {
    /// A reference to a ServiceAccount resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAwsAuthJwtServiceAccountRef>,
}

/// A reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthJwtServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AWSAuthSecretRef holds secret references for AWS credentials
/// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRef {
    /// The AccessKeyID is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessKeyIDSecretRef")]
    pub access_key_id_secret_ref: Option<SecretStoreProviderAwsAuthSecretRefAccessKeyIdSecretRef>,
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderAwsAuthSecretRefSecretAccessKeySecretRef>,
}

/// The AccessKeyID is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRefAccessKeyIdSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAwsAuthSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AWS configures this store to sync secrets using AWS Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAwsService {
    SecretsManager,
    ParameterStore,
}

/// AzureKV configures this store to sync secrets using Azure Key Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekv {
    /// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authSecretRef")]
    pub auth_secret_ref: Option<SecretStoreProviderAzurekvAuthSecretRef>,
    /// Auth type defines how to authenticate to the keyvault service.
    /// Valid values are:
    /// - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
    /// - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authType")]
    pub auth_type: Option<SecretStoreProviderAzurekvAuthType>,
    /// If multiple Managed Identity is assigned to the pod, you can select the one to be used
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "identityId")]
    pub identity_id: Option<String>,
    /// ServiceAccountRef specified the service account
    /// that should be used when authenticating with WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderAzurekvServiceAccountRef>,
    /// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantId")]
    pub tenant_id: Option<String>,
    /// Vault Url from which the secrets to be fetched from.
    #[serde(rename = "vaultUrl")]
    pub vault_url: String,
}

/// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRef {
    /// The Azure clientId of the service principle used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientId")]
    pub client_id: Option<SecretStoreProviderAzurekvAuthSecretRefClientId>,
    /// The Azure ClientSecret of the service principle used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientSecret")]
    pub client_secret: Option<SecretStoreProviderAzurekvAuthSecretRefClientSecret>,
}

/// The Azure clientId of the service principle used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefClientId {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The Azure ClientSecret of the service principle used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvAuthSecretRefClientSecret {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// AzureKV configures this store to sync secrets using Azure Key Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderAzurekvAuthType {
    ServicePrincipal,
    ManagedIdentity,
    WorkloadIdentity,
}

/// ServiceAccountRef specified the service account
/// that should be used when authenticating with WorkloadIdentity.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderAzurekvServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Fake configures a store with static key/value pairs
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFake {
    pub data: Vec<SecretStoreProviderFakeData>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderFakeData {
    pub key: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "valueMap")]
    pub value_map: Option<BTreeMap<String, String>>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}

/// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsm {
    /// Auth defines the information necessary to authenticate against GCP
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderGcpsmAuth>,
    /// ProjectID project where secret is located
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
}

/// Auth defines the information necessary to authenticate against GCP
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuth {
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderGcpsmAuthSecretRef>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "workloadIdentity")]
    pub workload_identity: Option<SecretStoreProviderGcpsmAuthWorkloadIdentity>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthSecretRef {
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretAccessKeySecretRef")]
    pub secret_access_key_secret_ref: Option<SecretStoreProviderGcpsmAuthSecretRefSecretAccessKeySecretRef>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthSecretRefSecretAccessKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentity {
    #[serde(rename = "clusterLocation")]
    pub cluster_location: String,
    #[serde(rename = "clusterName")]
    pub cluster_name: String,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterProjectID")]
    pub cluster_project_id: Option<String>,
    /// A reference to a ServiceAccount resource.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderGcpsmAuthWorkloadIdentityServiceAccountRef,
}

/// A reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGcpsmAuthWorkloadIdentityServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// GitLab configures this store to sync secrets using GitLab Variables provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlab {
    /// Auth configures how secret-manager authenticates with a GitLab instance.
    pub auth: SecretStoreProviderGitlabAuth,
    /// ProjectID specifies a project where secrets are located.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "projectID")]
    pub project_id: Option<String>,
    /// URL configures the GitLab instance URL. Defaults to <https://gitlab.com/.>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
}

/// Auth configures how secret-manager authenticates with a GitLab instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuth {
    #[serde(rename = "SecretRef")]
    pub secret_ref: SecretStoreProviderGitlabAuthSecretRef,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuthSecretRef {
    /// AccessToken is used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessToken")]
    pub access_token: Option<SecretStoreProviderGitlabAuthSecretRefAccessToken>,
}

/// AccessToken is used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderGitlabAuthSecretRefAccessToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// IBM configures this store to sync secrets using IBM Cloud provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbm {
    /// Auth configures how secret-manager authenticates with the IBM secrets manager.
    pub auth: SecretStoreProviderIbmAuth,
    /// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceUrl")]
    pub service_url: Option<String>,
}

/// Auth configures how secret-manager authenticates with the IBM secrets manager.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuth {
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderIbmAuthSecretRef,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuthSecretRef {
    /// The SecretAccessKey is used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretApiKeySecretRef")]
    pub secret_api_key_secret_ref: Option<SecretStoreProviderIbmAuthSecretRefSecretApiKeySecretRef>,
}

/// The SecretAccessKey is used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderIbmAuthSecretRefSecretApiKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetes {
    /// Auth configures how secret-manager authenticates with a Kubernetes instance.
    pub auth: SecretStoreProviderKubernetesAuth,
    /// Remote namespace to fetch the secrets from
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteNamespace")]
    pub remote_namespace: Option<String>,
    /// configures the Kubernetes server Address.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub server: Option<SecretStoreProviderKubernetesServer>,
}

/// Auth configures how secret-manager authenticates with a Kubernetes instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuth {
    /// has both clientCert and clientKey as secretKeySelector
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cert: Option<SecretStoreProviderKubernetesAuthCert>,
    /// points to a service account that should be used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccount")]
    pub service_account: Option<SecretStoreProviderKubernetesAuthServiceAccount>,
    /// use static token to authenticate with
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub token: Option<SecretStoreProviderKubernetesAuthToken>,
}

/// has both clientCert and clientKey as secretKeySelector
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCert {
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCert")]
    pub client_cert: Option<SecretStoreProviderKubernetesAuthCertClientCert>,
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientKey")]
    pub client_key: Option<SecretStoreProviderKubernetesAuthCertClientKey>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCertClientCert {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthCertClientKey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// points to a service account that should be used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthServiceAccount {
    /// A reference to a ServiceAccount resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccount")]
    pub service_account: Option<SecretStoreProviderKubernetesAuthServiceAccountServiceAccount>,
}

/// A reference to a ServiceAccount resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthServiceAccountServiceAccount {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// use static token to authenticate with
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthToken {
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "bearerToken")]
    pub bearer_token: Option<SecretStoreProviderKubernetesAuthTokenBearerToken>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesAuthTokenBearerToken {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// configures the Kubernetes server Address.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderKubernetesServer {
    /// CABundle is a base64-encoded CA certificate
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderKubernetesServerCaProvider>,
    /// configures the Kubernetes server Address.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
}

/// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderKubernetesServerCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderKubernetesServerCaProviderType,
}

/// see: <https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider>
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderKubernetesServerCaProviderType {
    Secret,
    ConfigMap,
}

/// Oracle configures this store to sync secrets using Oracle Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracle {
    /// Auth configures how secret-manager authenticates with the Oracle Vault.
    /// If empty, instance principal is used. Optionally, the authenticating principal type
    /// and/or user data may be supplied for the use of workload identity and user principal.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub auth: Option<SecretStoreProviderOracleAuth>,
    /// Compartment is the vault compartment OCID.
    /// Required for PushSecret
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub compartment: Option<String>,
    /// EncryptionKey is the OCID of the encryption key within the vault.
    /// Required for PushSecret
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "encryptionKey")]
    pub encryption_key: Option<String>,
    /// The type of principal to use for authentication. If left blank, the Auth struct will
    /// determine the principal type. This optional field must be specified if using
    /// workload identity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "principalType")]
    pub principal_type: Option<SecretStoreProviderOraclePrincipalType>,
    /// Region is the region where vault is located.
    pub region: String,
    /// ServiceAccountRef specified the service account
    /// that should be used when authenticating with WorkloadIdentity.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderOracleServiceAccountRef>,
    /// Vault is the vault's OCID of the specific vault where secret is located.
    pub vault: String,
}

/// Auth configures how secret-manager authenticates with the Oracle Vault.
/// If empty, instance principal is used. Optionally, the authenticating principal type
/// and/or user data may be supplied for the use of workload identity and user principal.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuth {
    /// SecretRef to pass through sensitive information.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderOracleAuthSecretRef,
    /// Tenancy is the tenancy OCID where user is located.
    pub tenancy: String,
    /// User is an access OCID specific to the account.
    pub user: String,
}

/// SecretRef to pass through sensitive information.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRef {
    /// Fingerprint is the fingerprint of the API private key.
    pub fingerprint: SecretStoreProviderOracleAuthSecretRefFingerprint,
    /// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
    pub privatekey: SecretStoreProviderOracleAuthSecretRefPrivatekey,
}

/// Fingerprint is the fingerprint of the API private key.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRefFingerprint {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleAuthSecretRefPrivatekey {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Oracle configures this store to sync secrets using Oracle Vault provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderOraclePrincipalType {
    #[serde(rename = "")]
    KopiumEmpty,
    UserPrincipal,
    InstancePrincipal,
    Workload,
}

/// ServiceAccountRef specified the service account
/// that should be used when authenticating with WorkloadIdentity.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderOracleServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Configures a store to sync secrets with a Password Depot instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepot {
    /// Auth configures how secret-manager authenticates with a Password Depot instance.
    pub auth: SecretStoreProviderPassworddepotAuth,
    /// Database to use as source
    pub database: String,
    /// URL configures the Password Depot instance URL.
    pub host: String,
}

/// Auth configures how secret-manager authenticates with a Password Depot instance.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuth {
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderPassworddepotAuthSecretRef,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuthSecretRef {
    /// Username / Password is used for authentication.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub credentials: Option<SecretStoreProviderPassworddepotAuthSecretRefCredentials>,
}

/// Username / Password is used for authentication.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderPassworddepotAuthSecretRefCredentials {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Vault configures this store to sync secrets using Hashi provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVault {
    /// Auth configures how secret-manager authenticates with the Vault server.
    pub auth: SecretStoreProviderVaultAuth,
    /// PEM encoded CA bundle used to validate Vault server certificate. Only used
    /// if the Server URL is using HTTPS protocol. This parameter is ignored for
    /// plain HTTP protocol connection. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate Vault server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderVaultCaProvider>,
    /// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
    /// leader instead of simply retrying within a loop. This can increase performance if
    /// the option is enabled serverside.
    /// <https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "forwardInconsistent")]
    pub forward_inconsistent: Option<bool>,
    /// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
    /// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
    /// More about namespaces can be found here <https://www.vaultproject.io/docs/enterprise/namespaces>
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// Path is the mount path of the Vault KV backend endpoint, e.g:
    /// "secret". The v2 KV secret engine version specific "/data" path suffix
    /// for fetching secrets from Vault is optional and will be appended
    /// if not present in specified path.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    /// ReadYourWrites ensures isolated read-after-write semantics by
    /// providing discovered cluster replication states in each request.
    /// More information about eventual consistency in Vault can be found here
    /// <https://www.vaultproject.io/docs/enterprise/consistency>
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "readYourWrites")]
    pub read_your_writes: Option<bool>,
    /// Server is the connection address for the Vault server, e.g: "<https://vault.example.com:8200".>
    pub server: String,
    /// Version is the Vault KV secret engine version. This can be either "v1" or
    /// "v2". Version defaults to "v2".
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub version: Option<SecretStoreProviderVaultVersion>,
}

/// Auth configures how secret-manager authenticates with the Vault server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuth {
    /// AppRole authenticates with Vault using the App Role auth mechanism,
    /// with the role and secret stored in a Kubernetes Secret resource.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "appRole")]
    pub app_role: Option<SecretStoreProviderVaultAuthAppRole>,
    /// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
    /// Cert authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cert: Option<SecretStoreProviderVaultAuthCert>,
    /// Jwt authenticates with Vault by passing role and JWT token using the
    /// JWT/OIDC authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SecretStoreProviderVaultAuthJwt>,
    /// Kubernetes authenticates with Vault by passing the ServiceAccount
    /// token stored in the named Secret resource to the Vault server.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kubernetes: Option<SecretStoreProviderVaultAuthKubernetes>,
    /// Ldap authenticates with Vault by passing username/password pair using
    /// the LDAP authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ldap: Option<SecretStoreProviderVaultAuthLdap>,
    /// TokenSecretRef authenticates with Vault by presenting a token.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tokenSecretRef")]
    pub token_secret_ref: Option<SecretStoreProviderVaultAuthTokenSecretRef>,
}

/// AppRole authenticates with Vault using the App Role auth mechanism,
/// with the role and secret stored in a Kubernetes Secret resource.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthAppRole {
    /// Path where the App Role authentication backend is mounted
    /// in Vault, e.g: "approle"
    pub path: String,
    /// RoleID configured in the App Role authentication backend when setting
    /// up the authentication backend in Vault.
    #[serde(rename = "roleId")]
    pub role_id: String,
    /// Reference to a key in a Secret that contains the App Role secret used
    /// to authenticate with Vault.
    /// The `key` field must be specified and denotes which entry within the Secret
    /// resource is used as the app role secret.
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderVaultAuthAppRoleSecretRef,
}

/// Reference to a key in a Secret that contains the App Role secret used
/// to authenticate with Vault.
/// The `key` field must be specified and denotes which entry within the Secret
/// resource is used as the app role secret.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthAppRoleSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
/// Cert authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCert {
    /// ClientCert is a certificate to authenticate using the Cert Vault
    /// authentication method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCert")]
    pub client_cert: Option<SecretStoreProviderVaultAuthCertClientCert>,
    /// SecretRef to a key in a Secret resource containing client private key to
    /// authenticate with Vault using the Cert authentication method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthCertSecretRef>,
}

/// ClientCert is a certificate to authenticate using the Cert Vault
/// authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCertClientCert {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// SecretRef to a key in a Secret resource containing client private key to
/// authenticate with Vault using the Cert authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Jwt authenticates with Vault by passing role and JWT token using the
/// JWT/OIDC authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwt {
    /// Optional ServiceAccountToken specifies the Kubernetes service account for which to request
    /// a token for with the `TokenRequest` API.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesServiceAccountToken")]
    pub kubernetes_service_account_token: Option<SecretStoreProviderVaultAuthJwtKubernetesServiceAccountToken>,
    /// Path where the JWT authentication backend is mounted
    /// in Vault, e.g: "jwt"
    pub path: String,
    /// Role is a JWT role to authenticate using the JWT/OIDC Vault
    /// authentication method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    /// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
    /// authenticate with Vault using the JWT/OIDC authentication method.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthJwtSecretRef>,
}

/// Optional ServiceAccountToken specifies the Kubernetes service account for which to request
/// a token for with the `TokenRequest` API.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtKubernetesServiceAccountToken {
    /// Optional audiences field that will be used to request a temporary Kubernetes service
    /// account token for the service account referenced by `serviceAccountRef`.
    /// Defaults to a single audience `vault` it not specified.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// Optional expiration time in seconds that will be used to request a temporary
    /// Kubernetes service account token for the service account referenced by
    /// `serviceAccountRef`.
    /// Defaults to 10 minutes.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "expirationSeconds")]
    pub expiration_seconds: Option<i64>,
    /// Service account field containing the name of a kubernetes ServiceAccount.
    #[serde(rename = "serviceAccountRef")]
    pub service_account_ref: SecretStoreProviderVaultAuthJwtKubernetesServiceAccountTokenServiceAccountRef,
}

/// Service account field containing the name of a kubernetes ServiceAccount.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtKubernetesServiceAccountTokenServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
/// authenticate with Vault using the JWT/OIDC authentication method.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthJwtSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Kubernetes authenticates with Vault by passing the ServiceAccount
/// token stored in the named Secret resource to the Vault server.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetes {
    /// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
    /// "kubernetes"
    #[serde(rename = "mountPath")]
    pub mount_path: String,
    /// A required field containing the Vault Role to assume. A Role binds a
    /// Kubernetes ServiceAccount with a set of Vault policies.
    pub role: String,
    /// Optional secret field containing a Kubernetes ServiceAccount JWT used
    /// for authenticating with Vault. If a name is specified without a key,
    /// `token` is the default. If one is not specified, the one bound to
    /// the controller will be used.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthKubernetesSecretRef>,
    /// Optional service account field containing the name of a kubernetes ServiceAccount.
    /// If the service account is specified, the service account secret token JWT will be used
    /// for authenticating with Vault. If the service account selector is not supplied,
    /// the secretRef will be used instead.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountRef")]
    pub service_account_ref: Option<SecretStoreProviderVaultAuthKubernetesServiceAccountRef>,
}

/// Optional secret field containing a Kubernetes ServiceAccount JWT used
/// for authenticating with Vault. If a name is specified without a key,
/// `token` is the default. If one is not specified, the one bound to
/// the controller will be used.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetesSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Optional service account field containing the name of a kubernetes ServiceAccount.
/// If the service account is specified, the service account secret token JWT will be used
/// for authenticating with Vault. If the service account selector is not supplied,
/// the secretRef will be used instead.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthKubernetesServiceAccountRef {
    /// Audience specifies the `aud` claim for the service account token
    /// If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
    /// then this audiences will be appended to the list
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub audiences: Option<Vec<String>>,
    /// The name of the ServiceAccount resource being referred to.
    pub name: String,
    /// Namespace of the resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Ldap authenticates with Vault by passing username/password pair using
/// the LDAP authentication method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthLdap {
    /// Path where the LDAP authentication backend is mounted
    /// in Vault, e.g: "ldap"
    pub path: String,
    /// SecretRef to a key in a Secret resource containing password for the LDAP
    /// user used to authenticate with Vault using the LDAP authentication
    /// method
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
    pub secret_ref: Option<SecretStoreProviderVaultAuthLdapSecretRef>,
    /// Username is a LDAP user name used to authenticate using the LDAP Vault
    /// authentication method
    pub username: String,
}

/// SecretRef to a key in a Secret resource containing password for the LDAP
/// user used to authenticate with Vault using the LDAP authentication
/// method
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthLdapSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// TokenSecretRef authenticates with Vault by presenting a token.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderVaultAuthTokenSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Vault server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderVaultCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderVaultCaProviderType,
}

/// The provider for the CA bundle to use to validate Vault server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderVaultCaProviderType {
    Secret,
    ConfigMap,
}

/// Vault configures this store to sync secrets using Hashi provider
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderVaultVersion {
    #[serde(rename = "v1")]
    V1,
    #[serde(rename = "v2")]
    V2,
}

/// Webhook configures this store to sync secrets using a generic templated webhook
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhook {
    /// Body
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub body: Option<String>,
    /// PEM encoded CA bundle used to validate webhook server certificate. Only used
    /// if the Server URL is using HTTPS protocol. This parameter is ignored for
    /// plain HTTP protocol connection. If not set the system root certificates
    /// are used to validate the TLS connection.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
    pub ca_bundle: Option<String>,
    /// The provider for the CA bundle to use to validate webhook server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderWebhookCaProvider>,
    /// Headers
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub headers: Option<BTreeMap<String, String>>,
    /// Webhook Method
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub method: Option<String>,
    /// Result formatting
    pub result: SecretStoreProviderWebhookResult,
    /// Secrets to fill in templates
    /// These secrets will be passed to the templating function as key value pairs under the given name
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secrets: Option<Vec<SecretStoreProviderWebhookSecrets>>,
    /// Timeout
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub timeout: Option<String>,
    /// Webhook url to call
    pub url: String,
}

/// The provider for the CA bundle to use to validate webhook server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub struct SecretStoreProviderWebhookCaProvider {
    /// The key where the CA certificate can be found in the Secret or ConfigMap.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the object located at the provider type.
    pub name: String,
    /// The namespace the Provider type is in.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    /// The type of provider to use such as "Secret", or "ConfigMap".
    #[serde(rename = "type")]
    pub r#type: SecretStoreProviderWebhookCaProviderType,
}

/// The provider for the CA bundle to use to validate webhook server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
pub enum SecretStoreProviderWebhookCaProviderType {
    Secret,
    ConfigMap,
}

/// Result formatting
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookResult {
    /// Json path of return value
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "jsonPath")]
    pub json_path: Option<String>,
}

#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookSecrets {
    /// Name of this secret in templates
    pub name: String,
    /// Secret ref to fill in credentials
    #[serde(rename = "secretRef")]
    pub secret_ref: SecretStoreProviderWebhookSecretsSecretRef,
}

/// Secret ref to fill in credentials
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderWebhookSecretsSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockbox {
    /// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiEndpoint")]
    pub api_endpoint: Option<String>,
    /// Auth defines the information necessary to authenticate against Yandex Lockbox
    pub auth: SecretStoreProviderYandexlockboxAuth,
    /// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caProvider")]
    pub ca_provider: Option<SecretStoreProviderYandexlockboxCaProvider>,
}

/// Auth defines the information necessary to authenticate against Yandex Lockbox
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxAuth {
    /// The authorized key used for authentication
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "authorizedKeySecretRef")]
    pub authorized_key_secret_ref: Option<SecretStoreProviderYandexlockboxAuthAuthorizedKeySecretRef>,
}

/// The authorized key used for authentication
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxAuthAuthorizedKeySecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxCaProvider {
    /// A reference to a specific 'key' within a Secret resource.
    /// In some instances, `key` is a required field.
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "certSecretRef")]
    pub cert_secret_ref: Option<SecretStoreProviderYandexlockboxCaProviderCertSecretRef>,
}

/// A reference to a specific 'key' within a Secret resource.
/// In some instances, `key` is a required field.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreProviderYandexlockboxCaProviderCertSecretRef {
    /// A key in the referenced Secret.
    /// Some instances of this field may be defaulted, in others it may be required.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub key: Option<String>,
    /// The name of the Secret resource being referred to.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// The namespace of the Secret resource being referred to.
    /// Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
}

/// Used to configure http retries if failed
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreRetrySettings {
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRetries")]
    pub max_retries: Option<i32>,
    #[serde(default, skip_serializing_if = "Option::is_none", rename = "retryInterval")]
    pub retry_interval: Option<String>,
}

/// SecretStoreStatus defines the observed state of the SecretStore.
#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
pub struct SecretStoreStatus {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub conditions: Option<Vec<Condition>>,
}