openshift · wgabor0427 · Jun 23, 2026
diff --git a/modules/eso-cert-manager-config.adoc b/modules/eso-cert-manager-config.adoc
@@ -20,34 +20,30 @@ You can integrate the {external-secrets-operator} with cert-manager to secure in
 | `mode`
 | _string_
 | `mode` specifies whether to use cert-manager for certificate management instead of the built-in `cert-controller` which can be indicated by setting either `Enabled` or `Disabled`. If set to `Enabled`, uses `cert-manager` for obtaining the certificates for the webhook server and other components. If set to `Disabled`, uses the `cert-controller` for obtaining the certificates for the webhook server. `Disabled` is the default behavior.
-| false
-| enum: [true false]
-
-Required
+| 
+| enum: [Enabled Disabled]
 
 | `injectAnnotations`
 | _string_
 | `injectAnnotations` adds the `cert-manager.io/inject-ca-from` annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the `cert-manager` Operator certificate authority (CA). This requires CA Injector to be enabled in `cert-manager` Operator. Set this field to `true` or `false`. When set, this field cannot be changed.
 | false
 | enum: [true false]
 
-Optional
-
 | `issuerRef`
 | _ObjectReference_
 | `issuerRef` contains details of the referenced object used for obtaining certificates. The object must exist in the `external-secrets` namespace unless a cluster-scoped `cert-manager` Operator issuer is used.
 |
-| Required
+| 
 
 | `certificateDuration`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#duration-v1-meta[_Duration_]
 | `certificateDuration` sets the validity period of the webhook certificate.
 | 8760h
-| Optional
+| 
 
 | `certificateRenewBefore`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#duration-v1-meta[_Duration_]
 | `certificateRenewBefore` sets the ahead time to renew the webhook certificate before expiry.
 | 30m
-| Optional
+| 
 |===
diff --git a/modules/eso-cert-providers-config.adoc b/modules/eso-cert-providers-config.adoc
@@ -21,5 +21,5 @@ The `certProvidersConfig` defines the configuration for the certificate provider
 | _object_
 | `certManager` defines the configuration for `cert-manager` provider specifics.
 |
-| Optional
+| 
 |===
diff --git a/modules/eso-common-configs.adoc b/modules/eso-common-configs.adoc
@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-common-config_{context}"]
+= commonConfigs
+
+[role="_abstract"]
+The `commonConfigs` specifies the common configurations available for all operands managed by the Operator.
+
+[cols="1,1,1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+| Default
+| Validation
+
+| `logLevel`
+| _integer_
+| `logLevel` supports the value range as defined in the link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta[_Time_].
+| 1
+a| The maximum number of log levels is 5.
+
+The minimum number of log levels is 1.
+
+| `resources`
+| link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#resourcerequirements-v1-core[_ResourceRequirements_].
+| `resources` defines the resource requirements. This cannot be updated. See link:https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers].
+|
+| 
+
+| `affinity`
+| link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#affinity-v1-core[_affinity_].
+| `affinity` is used for setting scheduling affinity rules. See See link:https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/[Assigning Pods to Nodes].
+|
+| 
+
+| `tolerations`
+| link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#toleration-v1-core[_toleration array_]
+| `tolerations` sets the pod tolerations.
+|
+a| The maximum number of items is 50.
+
+The minimum number of items is 0.
+
+| `nodeSelector`
+| _object (keys:string, values:string)_
+| `nodeSelector` defines the scheduling criteria using node labels.
+|
+a| The maximum number of properties is 50.
+
+The minimum number of properties is 0.
+
+| `proxy`
+| _proxyConfig_
+| `proxy` sets the proxy configurations which are made avaiable in operand containers managed by the Operator as environment variables.
+|
+| 
+
+|===
diff --git a/modules/eso-component-config.adoc b/modules/eso-component-config.adoc
@@ -29,15 +29,14 @@ Required
 | _object_
 | `deploymentConfigs` specifies overrides for the Kubernetes Deployment resource of this component.
 |
-|Optional
+|
 
 | `overrideEnv`
 a| *EnvVar*
 
 _array_
 | `overrideEnv` specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence. Environment variable names starting with `HOSTNAME`, `KUBERNETES_` or `EXTERNAL_SECRETS_` are reserved and are not allowed.
 |
-a| The maximum number of items is 50.
+| The maximum number of items is 50.
 
-Optional
 |===
diff --git a/modules/eso-component-name.adoc b/modules/eso-component-name.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-comoponent-name_{context}"]
+= componentName
+
+[role="_abstract"]
+The `componentName` field represents the different external-secrets components that can have network policies applied.
+
+[cols="1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+
+| `ExternalSecretsCoreController`
+| _object_
+| `ExternalSecretsCoreController` represents the 'external-secret'component.
+
+| `BitwardenSDKServer`
+| _object_
+| `BitwardenSDKServer` represents the`bitwarden-sdk-server` component.
+
+| `Webhook`
+| _object_
+| `Webhook` represents the `external-secrets` webhook component.
+
+| `CertController`
+| _object_
+| `CertController` represents the `cert-controller` component.
+
+|===
diff --git a/modules/eso-condition.adoc b/modules/eso-condition.adoc
@@ -9,29 +9,22 @@
 [role="_abstract"]
 The `condition` object reports the current health and operational state of the {external-secrets-operator} deployment. It provides a standardized status check by detailing the specific type of condition, its current status, and a message to verify deployment success or troubleshooting errors.
 
-[cols="1,1,1,1,1",options="header"]
+[cols="1,1,1",options="header"]
 |===
 | Field
 | Type
 | Description
-| Default
-| Validation
 
 | `type`
 | _string_
 | `type` contains the condition of the deployment.
-|
-| Required
 
 | `status`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#conditionstatus-v1-meta[_ConditionStatus_]
 | `status` contains the status of the condition of the deployment
-|
-|
 
 | `message`
 | _string_
 | `message` provides details on the state of the deployment
-|
-|
+
 |===
diff --git a/modules/eso-conditional-status.adoc b/modules/eso-conditional-status.adoc
@@ -9,17 +9,13 @@
 [role="_abstract"]
 The `conditionalStatus` field holds information about the current state of the `external-secrets` deployment.
 
-[cols="1,1,1,1,1",options="header"]
+[cols="1,1,1",options="header"]
 |===
 | Field
 | Type
 | Description
-| Default
-| Validation
 
 | `conditions`
 | _array_
 | `conditions` contains information on the current state of the deployment.
-|
-|
 |===
diff --git a/modules/eso-configmap-key-reference.adoc b/modules/eso-configmap-key-reference.adoc
@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-api.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="eso-configmap-key-reference_{context}"]
+= configMapKeyReference
+
+[role="_abstract"]
+The `configMapKeyReference` specifies a specific key in a ConfigMap.
+
+[cols="1,1,1,1,1",options="header"]
+|===
+| Field
+| Type
+| Description
+| Default
+| Validation
+
+| `name`
+|  _string_
+| `name` specifies the name of the ConfigMap resource being referred to.
+|
+a| The maximum length of the name is 253 characters.
+
+The minimum length of the name is 1 character.
+
+| `key`
+| _string_
+| `key` specifies the specific key to be used in the ConfigMap. When ommitted, defaults to `ca-bundle.crt`.
+| `ca-bundle.crt`
+a| The maximum length of the key is 253 characters.
+
+The minimum length of the key is 1 character.
+
+The pattern is: `^[-._a-zA-Z0-9]+$`
+
+|===
diff --git a/modules/eso-controller-config.adoc b/modules/eso-controller-config.adoc
@@ -21,7 +21,7 @@ The `controllerConfig` specifies the configurations used by the controller when
 | _string_
 | `certProvider` defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.
 |
-| Optional
+| 
 
 | `labels`
 | _object (keys:string, values:string)_
@@ -31,25 +31,39 @@ a| The maximum number of properties is 20.
 
 The minimum number of properties is 0.
 
-Optional
-
 | `annotations`
 | _object (keys:string, values:string)_
 | `annotations` add custom annotations to all the resources created for the `external-secrets` deployment. The annotations are merged with any default annotations set by the Operator. User-specified annotations take precedence over defaults in case of conflicts. Annotation keys containing the reserved domains `kubernetes.io/`, `openshift.io/`, `k8s.io/`, or `cert-manager.io/` (including subdomains like `*.kubernetes.io/`) are not allowed.
 |
-a| The maximum number of properties is 20.
+a| The maximum number of annotations is 20.
 
-The minimum number of properties is 0.
+The minimum number of annotations is 0.
+
+| `networkPolicies`
+| _networkPolicy array_
+| `networkPolicies` specifies the list of network policy configurations to be applied to the `external-secrets` pods. Each entry allows specifying a name for the generated `NetworkPolicy` object, along with its full Kubernetes `NetworkPolicy` definition. The Operator prepends `eso-user-` to the provided name when creating the Kubernetes object. If this field is not provided, `external-secrets` components aree isolated with `deny-all` network policies, which prevents proper operation.
+|
+a| The maximum number of items is 50.
 
-Optional
+The minimum number of items is 0.
 
 | `componentConfigs`
 | _ComponentConfig array_
-| `componentConfigs` allows specifying deployment-level configuration overrides for individual `external-secrets` components. Each component can have only one configuration entry.
+| `componentConfigs` allows specifying deployment-level configuration overrides for individual `external-secrets`` components. This field enables fine-grained control over deployment settings for each component independently.
+Each component can have only one configuration entry.
+|
 a| The maximum number of items is 4.
 
 The minimum number of items is 0.
 
-Optional
+a| `trustedCABundle`
+
+*ConfigMapKeyReference*
+| _object_
+a| `trustedCABundle`` references a ConfigMap containing PEM-encoded CA certificates for the `external-secrets` core controller to trust when making outbound TLS connections. If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
+
+The ConfigMap must exist in the `external-secrets` Operand namespace and must not carry the CNO inject-trusted-cabundle label when proxy is configured. When omitted, external providers use standard system certificates. When proxy is configured, proxy TLS connections use the operator-managed {product-title} trusted CA bundle injected by the Cluster Network Operator.
+| 
+|
 
 |===
diff --git a/modules/eso-controller-status.adoc b/modules/eso-controller-status.adoc
@@ -21,7 +21,7 @@ The `controllerStatus` field tracks the health and synchronization state of the
 | _string_
 | `name` specifies the name of the controller for which the observed condition is recorded.
 |
-| Required
+| 
 
 | `conditions`
 | _array_

diff --git a/modules/eso-deployment-config.adoc b/modules/eso-deployment-config.adoc
@@ -21,9 +21,8 @@ The `deploymentConfig` field defines configuration overrides for a Kubernetes De
 | _integer_
 | `revisionHistoryLimit` specifies the number of old `ReplicaSets` to retain for rollback purposes. This allows rolling back to previous deployment versions using the command `oc rollout undo`. Must be at least 1 to ensure rollback capability.
 | 10
-a| The minimum value is 1.
+a| The maximum value is 50.
 
-The maximum value is 50.
+The minimum value is 1.
 
-Optional
 |===
diff --git a/modules/eso-external-secrets-list.adoc b/modules/eso-external-secrets-list.adoc
@@ -9,35 +9,26 @@
 [role="_abstract"]
 The `externalSecretsConfigList` object fetches the list of `externalSecretsConfig` objects.
 
-[cols="1,1,1,1,1",options="header"]
+[cols="1,1,1",options="header"]
 |===
 | Field
 | Type
 | Description
-| Default
-| Validation
 
 | `apiVersion`
 | _string_
 | The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`
-|
-|
 
 | `kind`
 | _string_
 | `kind` specifies the type of the object, which is `externalSecretsList` for this API.
-|
-|
 
 | `metadata`
 | link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#listmeta-v1-meta[_ListMeta_]
 | Refer to Kubernetes API documentation for details about the `metadata` fields.
-|
-|
 
 | `items`
 | _array_
 | `Items` contains a list of `externalSecrets` objects.
-|
-|
+
 |===