MacroPower · botty-mcbottington · Nov 25, 2025
diff --git a/docs/examples/src/charts/charts.k b/docs/examples/src/charts/charts.k
@@ -44,7 +44,7 @@ charts: helm.Charts = {
         chart = "external-secrets"
         repoURL = "https://charts.external-secrets.io/"
         schemaGenerator = "AUTO"
-        targetRevision = "0.20.4"
+        targetRevision = "1.1.0"
         crdGenerator = "TEMPLATE"
         values: {
             installCRDs = True

diff --git a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k
@@ -435,6 +435,8 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget:
         Defaults to "Retain"
     immutable : bool, default is Undefined, optional
         Immutable defines if the final secret will be immutable
+    manifest : ExternalSecretsIoV1ExternalSecretSpecTargetManifest, default is Undefined, optional
+        manifest
     name : str, default is Undefined, optional
         The name of the Secret resource to be managed.
         Defaults to the .metadata.name of the ExternalSecret resource
@@ -444,6 +446,7 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget:
     creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" = "Owner"
     deletionPolicy?: "Delete" | "Merge" | "Retain" = "Retain"
     immutable?: bool
+    manifest?: ExternalSecretsIoV1ExternalSecretSpecTargetManifest
     name?: str
     template?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplate
 
@@ -452,6 +455,28 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget:
         len(name) >= 1 if name
         _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if name
 
+schema ExternalSecretsIoV1ExternalSecretSpecTargetManifest:
+    r"""
+    Manifest defines a custom Kubernetes resource to create instead of a Secret.
+    When specified, ExternalSecret will create the resource type defined here
+    (e.g., ConfigMap, Custom Resource) instead of a Secret.
+    Warning: Using Generic target. Make sure access policies and encryption are properly configured.
+
+    Attributes
+    ----------
+    apiVersion : str, default is Undefined, required
+        APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
+    kind : str, default is Undefined, required
+        Kind of the target resource (e.g., "ConfigMap", "Application")
+    """
+    apiVersion: str
+
+    kind: str
+
+    check:
+        len(apiVersion) >= 1
+        len(kind) >= 1
+
 schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplate:
     r"""
     Template defines a blueprint for the created Secret resource.
@@ -511,12 +536,15 @@ schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0:
     secret : ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0Secret, default is Undefined, optional
         secret
     target : str, default is "Data", optional
-        TemplateTarget specifies where the rendered templates should be applied.
+        Target specifies where to place the template result.
+        For Secret resources, common values are: "Data", "Annotations", "Labels".
+        For custom resources (when spec.target.manifest is set), this supports
+        nested paths like "spec.database.config" or "data".
     """
     configMap?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0ConfigMap
     literal?: str
     secret?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0Secret
-    target?: "Data" | "Annotations" | "Labels" = "Data"
+    target?: str = "Data"
 
 schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0ConfigMap:
     r"""

diff --git a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k
@@ -2809,9 +2809,12 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRef:
 
     Attributes
     ----------
+    iamEndpoint : str, default is Undefined, optional
+        The IAM endpoint used to obain a token
     secretApiKeySecretRef : ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef, default is Undefined, optional
         secret Api key secret ref
     """
+    iamEndpoint?: str
     secretApiKeySecretRef?: ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef
 
 schema ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef:
@@ -5021,6 +5024,12 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserver:
 
     Attributes
     ----------
+    caBundle : str, default is Undefined, optional
+        PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
+        if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
+        are used to validate the TLS connection.
+    caProvider : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider, default is Undefined, optional
+        ca provider
     domain : str, default is Undefined, optional
         Domain is the secret server domain.
     password : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword, default is Undefined, required
@@ -5031,13 +5040,48 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserver:
     username : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverUsername, default is Undefined, required
         username
     """
+    caBundle?: str
+    caProvider?: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider
     domain?: str
     password: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword
 
     serverURL: str
 
     username: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverUsername
 
+schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider:
+    r"""
+    The provider for the CA bundle to use to validate Secret ServerURL certificate.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, optional
+        The key where the CA certificate can be found in the Secret or ConfigMap.
+    name : str, default is Undefined, required
+        The name of the object located at the provider type.
+    namespace : str, default is Undefined, optional
+        The namespace the Provider type is in.
+        Can only be defined when used in a ClusterSecretStore.
+    $type : str, default is Undefined, required
+        The type of provider to use such as "Secret", or "ConfigMap".
+    """
+    key?: str
+    name: str
+
+    namespace?: str
+    $type: "Secret" | "ConfigMap"
+
+    check:
+        len(key) <= 253 if key
+        len(key) >= 1 if key
+        _regex_match(str(key), r"^[-._a-zA-Z0-9]+$") if key
+        len(name) <= 253
+        len(name) >= 1
+        _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
+        len(namespace) <= 63 if namespace
+        len(namespace) >= 1 if namespace
+        _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
 schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword:
     r"""
     Password is the secret server account password.
@@ -5264,6 +5308,8 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuth:
         app role
     cert : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCert, default is Undefined, optional
         cert
+    gcp : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp, default is Undefined, optional
+        gcp
     iam : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam, default is Undefined, optional
         iam
     jwt : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthJwt, default is Undefined, optional
@@ -5285,6 +5331,7 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuth:
     """
     appRole?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthAppRole
     cert?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCert
+    gcp?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp
     iam?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam
     jwt?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthJwt
     kubernetes?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthKubernetes
@@ -5464,6 +5511,159 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCertSecretRef:
         len(namespace) >= 1 if namespace
         _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
 
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp:
+    r"""
+    Gcp authenticates with Vault using Google Cloud Platform authentication method
+    GCP authentication method
+
+    Attributes
+    ----------
+    location : str, default is Undefined, optional
+        Location optionally defines a location/region for the secret
+    path : str, default is "gcp", optional
+        Path where the GCP auth method is enabled in Vault, e.g: "gcp"
+    projectID : str, default is Undefined, optional
+        Project ID of the Google Cloud Platform project
+    role : str, default is Undefined, required
+        Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
+    secretRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef, default is Undefined, optional
+        secret ref
+    serviceAccountRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef, default is Undefined, optional
+        service account ref
+    workloadIdentity : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity, default is Undefined, optional
+        workload identity
+    """
+    location?: str
+    path?: str = "gcp"
+    projectID?: str
+    role: str
+
+    secretRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef
+    serviceAccountRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef
+    workloadIdentity?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity
+
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef:
+    r"""
+    Specify credentials in a Secret object
+
+    Attributes
+    ----------
+    secretAccessKeySecretRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef, default is Undefined, optional
+        secret access key secret ref
+    """
+    secretAccessKeySecretRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef
+
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef:
+    r"""
+    The SecretAccessKey is used for authentication
+
+    Attributes
+    ----------
+    key : str, default is Undefined, optional
+        A key in the referenced Secret.
+        Some instances of this field may be defaulted, in others it may be required.
+    name : str, default is Undefined, optional
+        The name of the Secret resource being referred to.
+    namespace : str, default is Undefined, optional
+        The namespace of the Secret resource being referred to.
+        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+    """
+    key?: str
+    name?: str
+    namespace?: str
+
+    check:
+        len(key) <= 253 if key
+        len(key) >= 1 if key
+        _regex_match(str(key), r"^[-._a-zA-Z0-9]+$") if key
+        len(name) <= 253 if name
+        len(name) >= 1 if name
+        _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if name
+        len(namespace) <= 63 if namespace
+        len(namespace) >= 1 if namespace
+        _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef:
+    r"""
+    ServiceAccountRef to a service account for impersonation
+
+    Attributes
+    ----------
+    audiences : [str], default is Undefined, optional
+        Audience specifies the `aud` claim for the service account token
+        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+        then this audiences will be appended to the list
+    name : str, default is Undefined, required
+        The name of the ServiceAccount resource being referred to.
+    namespace : str, default is Undefined, optional
+        Namespace of the resource being referred to.
+        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+    """
+    audiences?: [str]
+    name: str
+
+    namespace?: str
+
+    check:
+        len(name) <= 253
+        len(name) >= 1
+        _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
+        len(namespace) <= 63 if namespace
+        len(namespace) >= 1 if namespace
+        _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity:
+    r"""
+    Specify a service account with Workload Identity
+
+    Attributes
+    ----------
+    clusterLocation : str, default is Undefined, optional
+        ClusterLocation is the location of the cluster
+        If not specified, it fetches information from the metadata server
+    clusterName : str, default is Undefined, optional
+        ClusterName is the name of the cluster
+        If not specified, it fetches information from the metadata server
+    clusterProjectID : str, default is Undefined, optional
+        ClusterProjectID is the project ID of the cluster
+        If not specified, it fetches information from the metadata server
+    serviceAccountRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef, default is Undefined, required
+        service account ref
+    """
+    clusterLocation?: str
+    clusterName?: str
+    clusterProjectID?: str
+    serviceAccountRef: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef
+
+schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef:
+    r"""
+    ServiceAccountSelector is a reference to a ServiceAccount resource.
+
+    Attributes
+    ----------
+    audiences : [str], default is Undefined, optional
+        Audience specifies the `aud` claim for the service account token
+        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+        then this audiences will be appended to the list
+    name : str, default is Undefined, required
+        The name of the ServiceAccount resource being referred to.
+    namespace : str, default is Undefined, optional
+        Namespace of the resource being referred to.
+        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+    """
+    audiences?: [str]
+    name: str
+
+    namespace?: str
+
+    check:
+        len(name) <= 253
+        len(name) >= 1
+        _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
+        len(namespace) <= 63 if namespace
+        len(namespace) >= 1 if namespace
+        _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
 schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam:
     r"""
     Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials

diff --git a/...c/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k b/...c/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k
@@ -416,12 +416,15 @@ schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTempl
     secret : ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0Secret, default is Undefined, optional
         secret
     target : str, default is "Data", optional
-        TemplateTarget specifies where the rendered templates should be applied.
+        Target specifies where to place the template result.
+        For Secret resources, common values are: "Data", "Annotations", "Labels".
+        For custom resources (when spec.target.manifest is set), this supports
+        nested paths like "spec.database.config" or "data".
     """
     configMap?: ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0ConfigMap
     literal?: str
     secret?: ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0Secret
-    target?: "Data" | "Annotations" | "Labels" = "Data"
+    target?: str = "Data"
 
 schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0ConfigMap:
     r"""

diff --git a/...mples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k b/...mples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k
@@ -330,12 +330,15 @@ schema ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0:
     secret : ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0Secret, default is Undefined, optional
         secret
     target : str, default is "Data", optional
-        TemplateTarget specifies where the rendered templates should be applied.
+        Target specifies where to place the template result.
+        For Secret resources, common values are: "Data", "Annotations", "Labels".
+        For custom resources (when spec.target.manifest is set), this supports
+        nested paths like "spec.database.config" or "data".
     """
     configMap?: ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0ConfigMap
     literal?: str
     secret?: ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0Secret
-    target?: "Data" | "Annotations" | "Labels" = "Data"
+    target?: str = "Data"
 
 schema ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0ConfigMap:
     r"""

diff --git a/...rc/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k b/...rc/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k
@@ -36,15 +36,16 @@ schema GeneratorsExternalSecretsIoV1alpha1SSHKeySpec:
     comment : str, default is Undefined, optional
         Comment specifies an optional comment for the SSH key
     keySize : int, default is Undefined, optional
-        KeySize specifies the key size for RSA keys (default: 2048)
+        KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
         For RSA keys: 2048, 3072, 4096
+        For ECDSA keys: 256, 384, 521
         Ignored for ed25519 keys
     keyType : str, default is "rsa", optional
-        KeyType specifies the SSH key type (rsa, ed25519)
+        KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
     """
     comment?: str
     keySize?: int
-    keyType?: "rsa" | "ed25519" = "rsa"
+    keyType?: "rsa" | "ecdsa" | "ed25519" = "rsa"
 
     check:
         keySize <= 8192 if keySize not in [None, Undefined]