openshift · stevsmit · Nov 5, 2025 · Oct 3, 2025
diff --git a/modules/eso-bitwarden-secret.adoc b/modules/eso-bitwarden-secret.adoc
@@ -6,7 +6,8 @@
 [id="eso-bitwarden-secret_{context}"]
 = bitwardenSecretManagerProvider
 
-The `bitwardenSecretManagerProvider` field enables the bitwarden secrets manager provider and sets up the additional service required to connect to the bitwarden server.
+[role="_abstract"]
+The `bitwardenSecretManagerProvider` field enables the Bitwarden secrets manager provider and sets up the additional service required to connect to the Bitwarden server.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -16,16 +17,17 @@ The `bitwardenSecretManagerProvider` field enables the bitwarden secrets manager
 | Default
 | Validation
 
-| `enabled`
+| `mode`
 | _string_
-| `enabled` field enables the `bitwardenSecretManagerProvider`. you can set this field to `true` or `false`.
-| false
-| enum: [true false] +
+| `mode` field enables the `bitwardenSecretManagerProvider` provider state, which can be set to `Enabled` or `Disabled`. If set to `Enabled`, the Operator ensures the plugin is deployed and synchronized. If set to `Disabled`, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.
+| `Disabled`
+a| enum: [Enabled Disabled]
+
 Optional
 
 | `secretRef`
 | _SecretReference_
-| `SecretRef` specifies the kubernetes secret that contains the TLS key pair for the bitwarden server. If this reference is not provided and `certManagerConfig` field is configured, the issuer defined in `certManagerConfig` generates the required certificate. The secret must use `tls.crt` for certificate, `tls.key` for the private key, and `ca.crt` for CA certificate.
+| `SecretRef` specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the `certManagerConfig` field is configured, the issuer defined in `certManagerConfig` generates the required certificate. The secret must use `tls.crt` for certificate, `tls.key` for the private key, and `ca.crt` for CA certificate.
 |
 | Optional
 |===
diff --git a/modules/eso-cert-manager-config.adoc b/modules/eso-cert-manager-config.adoc
@@ -16,18 +16,20 @@ The `certManagerConfig` field configures the `cert-manager` Operator settings.
 | Default
 | Validation
 
-| `enabled`
+| `mode`
 | _string_
-| `enabled` specifies whether cert-manager must obtain and renew certificates for the webhook server instead of using built-in certificates. Set this field to `true` or `false`.
+| `mode` specifies whether to use cert-manager for certificate management instead of the built-in `cert-controller` which can be indicated by setting either `Enabled` or `Disabled`. If set to `Enabled`, uses `cert-manager` for obtaining the certificates for the webhook server and other components. If set to `Disabled`, uses the `cert-controller` for obtaining the certificates for the webhook server. `Disabled` is the default behavior.
 | false
-| enum: [true false] +
+a| enum: [true false]
+
 Required
 
-| `addInjectorAnnotations`
+| `injectAnnotations`
 | _string_
-| `addInjectorAnnotations` adds the `cert-manager.io/inject-ca-from` annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the `cert-manager` Operator certificate authority (CA). This requires CA Injector to be enabled in `cert-manager` Operator. Set this field to `true` or `false`.
+| `injectAnnotations` adds the `cert-manager.io/inject-ca-from` annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the `cert-manager` Operator certificate authority (CA). This requires CA Injector to be enabled in `cert-manager` Operator. Set this field to `true` or `false`. When set, this field cannot be changed.
 | false
-| enum: [true false] +
+a| enum: [true false]
+
 Optional
 
 | `issuerRef`

diff --git a/modules/eso-cert-providers-config.adoc b/modules/eso-cert-providers-config.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-cert-providers-config_{context}"]
+= certProvidersConfig
+
+The `certProvidersConfig` defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.
+
+[cols="1,1,1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+| Default
+| Validation
+
+| `certManager`
+| _object_
+| `certManager` defines the configuration for `cert-manager` provider specifics.
+|
+| Optional
+|===
diff --git a/modules/eso-condition.adoc b/modules/eso-condition.adoc
@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-condition_{context}"]
+= condition
+
+The `condition` field holds information about the condition of the `external-secrets` deployment.
+
+[cols="1,1,1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+| Default
+| Validation
+
+| `type`
+| _string_
+| `type` contains the condition of the deployment.
+|
+| Required
+
+| `status`
+| link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#conditionstatus-v1-meta[_ConditionStatus_]
+| `status` contains the status of the condition of the deployment
+|
+|
+
+| `message`
+| _string_
+| `message` provides details on the state of the deployment
+|
+|
+|===
diff --git a/modules/eso-conditional-status.adoc b/modules/eso-conditional-status.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-conditional-status_{context}"]
+= conditionalStatus
+
+The `conditionalStatus` field holds information about the current state of the `external-secrets` deployment.
+
+[cols="1,1,1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+| Default
+| Validation
+
+| `conditions`
+| _array_
+| `conditions` contains information on the current state of the deployment.
+|
+|
+|===
diff --git a/modules/eso-controller-config.adoc b/modules/eso-controller-config.adoc
@@ -6,7 +6,7 @@
 [id="eso-controller-config_{context}"]
 = controllerConfig
 
-The `controllerConfig` field configures the operator to set the default values for installing `external-secrets` operand.
+The `controllerConfig` specifies the configurations used by the controller when installing the `external-secrets` operand and the plugins.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -16,15 +16,20 @@ The `controllerConfig` field configures the operator to set the default values f
 | Default
 | Validation
 
-| `namespace`
+| `certProvider`
 | _string_
-| `namespace` configures the namespace for installing the `external-secrets` operand.
-| external-secrets
+| `certProvider` defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.
+|
 | Optional
 
 | `labels`
 | _object (keys:string, values:string)_
 | `labels` field applies labels to all resources created for the `external-secrets` operand deployment.
 |
-| Optional
+a| The maximum number of properties is 20.
+
+The minimum number of properties is 0.
+
+Optional
+
 |===
diff --git a/modules/eso-controller-status.adoc b/modules/eso-controller-status.adoc
@@ -32,5 +32,5 @@ The `controllerStatus` field contains the observed conditions of the controllers
 | _integer_
 | `observedGeneration` represents the `.metadata.generation` on the observed resource.
 |
-| Minimum: 0
+| The minimum number of observed resources is 0.
 |===
diff --git a/modules/eso-external-secrets-config.adoc b/modules/eso-external-secrets-config.adoc
@@ -4,9 +4,10 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="eso-external-secrets-config_{context}"]
-= externalSecretsConfig
+= applicationConfig
 
-The `externalSecretsConfig` field configures the behavior of `external-secrets` operand.
+[role="_abstract"]
+The `applicationConfig` specifies the configurations for the `external-secrets` operand.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -20,34 +21,28 @@ The `externalSecretsConfig` field configures the behavior of `external-secrets`
 | _integer_
 | `logLevel` supports a range of values as defined in the link:https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md#what-method-to-use[kubernetes logging guidelines].
 | 1
-| The maximum range value is 5 +
-The minimum range value is 1 +
+a| The maximum range value is 5
+
+The minimum range value is 1
+
 Optional
 
 | `operatingNamespace`
 | _string_
 | `operatingNamespace` restricts the `external-secrets` operand operations to the provided namespace. Enabling this field disables `ClusterSecretStore` and `ClusterExternalSecret`.
 |
-| Optional
+a| The maximum length is 63
 
-| `bitwardenSecretManagerProvider`
-| _object_
-| `bitwardenSecretManagerProvider` enables the bitwarden secrets manager provider and sets up the additional service required for connecting to the bitwarden server.
-|
-| Optional
+The minimum length is 1
+
+Optional
 
 | `webhookConfig`
 | _object_
 | `webhookConfig` configures webhook specifics of the `external-secrets` operand.
 |
 |
 
-| `certManagerConfig`
-| _object_
-| `certManagerConfig` configures `cert-manager` Operator settings that are used to generate certificates for the webhook and `bitwarden-sdk-server` components.
-|
-|Optional
-
 | `resources`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#resourcerequirements-v1-core[_ResourceRequirements_]
 | `resources` defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see link:https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[]
@@ -64,11 +59,25 @@ Optional
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#toleration-v1-core[_Toleration_] _array_
 | `tolerations` sets the pod tolerations. For more information, see link:https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[]
 |
-| Optional
+a| The maximum number of items is 50
+
+The minimum number of items is 0
+
+Optional
 
 | `nodeSelector`
 | _object (keys:string, values:string)_
 | `nodeSelector` defines the scheduling criteria by using node labels. For more information, see link:https://kubernetes.io/docs/concepts/configuration/assign-pod-node/[]
 |
+a| The maximum number of properties is 50
+
+The minimum number of properties is 0
+
+Optional
+
+| `proxy`
+| _object (keys:string, values:string)_
+| `proxy` sets the proxy configurations available in operand containers managed by the Operator as environment variables.
+|
 | Optional
 |===
diff --git a/modules/eso-external-secrets-list.adoc b/modules/eso-external-secrets-list.adoc
@@ -4,9 +4,9 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="eso-external-secrets-list_{context}"]
-= externalSecretsList
+= externalSecretsConfigList
 
-The `externalSecretsList` object fetches the list of `externalSecrets` objects.
+The `externalSecretsConfigList` object fetches the list of `externalSecretsConfig` objects.
 
 [cols="1,1,1,1,1",options="header"]
 |===

diff --git a/modules/eso-external-secrets-manager-list.adoc b/modules/eso-external-secrets-manager-list.adoc
@@ -37,7 +37,7 @@ The `externalSecretsManagerList` object fetches the list of `externalSecretsMana
 
 | `items`
 | _array_
-| `Items` contains a list of `externalSecretsManager` objects.
+|
 |
 |
 |===
diff --git a/modules/eso-external-secrets-manager-spec.adoc b/modules/eso-external-secrets-manager-spec.adoc
@@ -21,10 +21,4 @@ The `externalSecretsManagerSpec` field defines the desired behavior of the `exte
 | `globalConfig` configures the behavior of deployments that {external-secrets-operator-short} manages.
 |
 | Optional
-
-| `feature`
-| _array_
-| `feature` enables the optional features of the Operator.
-|
-| Optional
 |===
diff --git a/modules/eso-external-secrets-manager-status.adoc b/modules/eso-external-secrets-manager-status.adoc
@@ -16,16 +16,17 @@ The `externalSecretsManagerStatus` field shows the most recently observed status
 | Default
 | Validation
 
-| `controllerStatus`
+| `controllerStatuses`
 |  _array_
-| `controllerStatus` holds the observed conditions of the controllers used by the Operator.
+| `controllerStatuses` holds the observed conditions of the controllers used by the Operator.
 |
 |
 
 | `lastTransitionTime`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta[_Time_]
 | `lastTransitionTime` records the most recent time the status of the condition changed.
 |
-| Format: date-time +
+a| Format: date-time
+
 Type: string
 |===
diff --git a/modules/eso-external-secrets-manager.adoc b/modules/eso-external-secrets-manager.adoc
@@ -8,7 +8,7 @@
 
 The `externalSecretsManager` object defines the configuration and information of deployments managed by the {external-secrets-operator-short}. Set the name to `cluster` as this allows only one instance of `externalSecretsManager` per cluster.
 
-You can configure global options and enable optional features by using `externalSecretsManager`. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the `externalSecretsManager` object during installation.
+You can configure global options by using `externalSecretsManager`. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the `externalSecretsManager` object during installation.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -47,4 +47,4 @@ You can configure global options and enable optional features by using `external
 | `status` displays the most recently observed state of the controllers in the {external-secrets-operator-short}.
 |
 |
-|===
+|===
diff --git a/modules/eso-external-secrets-spec.adoc b/modules/eso-external-secrets-spec.adoc
@@ -4,9 +4,9 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="eso-external-secrets-spec_{context}"]
-= externalSecretsSpec
+= externalSecretsConfigSpec
 
-The `externalSecretsSpec` field defines the desired behavior of the `externalSecrets` object.
+The `externalSecretsConfigSpec` field defines the desired behavior of the `externalSecrets` object.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -16,9 +16,15 @@ The `externalSecretsSpec` field defines the desired behavior of the `externalSec
 | Default
 | Validation
 
-| `externalSecretsConfig`
+| `appConfig`
 | _object_
-| `externalSecretsConfig` configures the behavior of `external-secrets` operand.
+| `appConfig` configures the behavior of the `external-secrets` operand.
+|
+| Optional
+
+| `plugins`
+| _object_
+| `plugins` configures the optional provider plugins.
 |
 | Optional
 

diff --git a/modules/eso-external-secrets-status.adoc b/modules/eso-external-secrets-status.adoc
@@ -4,9 +4,9 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="eso-external-secrets-status_{context}"]
-= externalSecretsStatus
+= externalSecretsConfigStatus
 
-The `externalSecretsStatus` field shows the most recently observed status of the `externalSecrets` Object.
+The `externalSecretsConfigStatus` field shows the most recently observed status of the `externalSecretsConfig` Object.
 
 [cols="1,1,1,1,1",options="header"]
 |===
@@ -27,4 +27,10 @@ The `externalSecretsStatus` field shows the most recently observed status of the
 | `externalSecretsImage` specifies the image name and tag used for deploy `external-secrets` operand.
 |
 |
+
+| `bitwardenSDKServerImage`
+| _string_
+| `bitwardenSDKServerImage` specifies the name of the image and tag used for deploying the `bitwarden-sdk-server`.
+|
+|
 |===