chore: add missing things to the documentation (#294)

Author: Skarlso

docs/destinations/push-secrets.md

@@ -0,0 +1,45 @@
+# PushSecrets
+
+## Overview
+
+A PushSecret destination consists of a Kubernetes PushSecret Custom Resource that will be triggered to reconcile when an event arrives.
+
+In order to use this destination, [external-secrets operator](https://github.com/external-secrets/external-secrets) must be installed in the cluster.
+
+This can be used with any notification source to automatically trigger a PushSecret reconciliation when a secret changes.
+
+- Default **UpdateStrategy** is annotations patch to trigger PushSecret reconcile.
+- Default **MatchStrategy** matches secret keys using:
+    - `spec.selector.secret.name`
+    - `spec.data[*].match.remoteRef.remoteKey`
+
+## Configuration
+
+PushSecret configuration is straightforward: all you need to do is add a `pushSecret` as a destination to Watch in your configuration manifest:
+
+```yaml
+apiVersion: reloader.external-secrets.io/v1alpha1
+kind: Config
+metadata:
+  name: reloader-sample
+  labels:
+    app.kubernetes.io/name: reloader
+spec:
+  notificationSources:
+  - #... any notification sources you want
+  destinationsToWatch:
+    - type: PushSecret
+      pushSecret:
+        # you may set one or more of the below:
+        # namespace selectors restrict PushSecret destinations to be on a given namespace set.
+        namespaceSelectors:
+          matchLabels:
+            specific-namespaces-auto-rollout: allowed
+        # label selectors target specific PushSecrets within restricted namespaces.
+        labelSelectors:
+          matchLabels:
+            specific-pushsecret-labels-match: "true"
+        # Filters down to specific PushSecret names
+        names:
+        - optional-name-matching-for-each-pushsecret
+```

docs/quickstart.md

@@ -7,14 +7,16 @@ Reloader is a tool that allows to trigger kubernetes manifests updates based on
 * [Azure EventGrid](sources/azure-eventgrid.md)
 * [Hashicorp Vault audit Logs](sources/vault.md)
 * [Generic Webhook](sources/webhook.md)
+* [TCP Socket](sources/tcp-socket.md)
 * [Kubernetes Secret](sources/kubernetes-secret.md)
+* [Kubernetes ConfigMap](sources/kubernetes-configmap.md)
 
 With it, it is possible to trigger manifest changes to multiple destinations:
 
-* [ExternalSecret](https://external-secrets.io/latest/introduction/getting-started/)
-* [Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)
-
-And many more to come!
+* [ExternalSecret](destinations/external-secrets.md)
+* [Deployments](destinations/deployments.md)
+* [PushSecret](destinations/push-secrets.md)
+* [WorkflowRunTemplate](destinations/workflows.md)
 
 ## Installing Reloader
 

docs/reference/strategies.md

@@ -0,0 +1,156 @@
+# Strategies
+
+Each destination in the Reloader configuration supports three optional strategies that control how updates are applied, how secrets are matched, and how the Reloader waits between reconciliations.
+
+When not specified, sensible defaults are used per destination type. See [Deployments](../destinations/deployments.md), [ExternalSecrets](../destinations/external-secrets.md), [PushSecrets](../destinations/push-secrets.md), and [WorkflowRunTemplate](../destinations/workflows.md) for their respective defaults.
+
+## Update Strategy
+
+The Update Strategy controls what action the Reloader takes when a matching event arrives.
+
+### Operations
+
+| Operation     | Description                                                                 |
+|---------------|-----------------------------------------------------------------------------|
+| `PatchStatus` | Patches the status subresource of the destination object.                  |
+| `Patch`       | Patches the destination object at a custom path with a given template.      |
+| `Delete`      | Deletes the destination object entirely.                                    |
+
+### Example: Custom Patch
+
+```yaml
+destinationsToWatch:
+  - type: Deployment
+    deployment:
+      labelSelectors:
+        matchLabels:
+          app: my-app
+    updateStrategy:
+      operation: Patch
+      patchOperationConfig:
+        path: "/spec/template/metadata/annotations"
+        template: '{"reloader.external-secrets.io/rotated-at": "{{ .Timestamp }}"}'
+```
+
+### Example: Delete on Event
+
+```yaml
+destinationsToWatch:
+  - type: ExternalSecret
+    externalSecret:
+      names:
+        - my-external-secret
+    updateStrategy:
+      operation: Delete
+```
+
+## Match Strategy
+
+The Match Strategy controls how the Reloader determines whether a destination is affected by a given secret event. It evaluates a JSON path on the destination object against one or more conditions.
+
+### Condition Operations
+
+| Operation           | Description                                    |
+|---------------------|------------------------------------------------|
+| `Equal`             | Exact value match.                             |
+| `NotEqual`          | Value does not match.                          |
+| `Contains`          | Value contains the given substring.            |
+| `NotContains`       | Value does not contain the given substring.    |
+| `RegularExpression` | Value matches the given regular expression.    |
+
+### Example: Custom Match Path
+
+```yaml
+destinationsToWatch:
+  - type: Deployment
+    deployment:
+      labelSelectors:
+        matchLabels: {}
+    matchStrategy:
+      path: "spec.template.spec.containers[*].env[*].valueFrom.secretKeyRef.name"
+      conditions:
+        - value: "my-secret"
+          operation: Equal
+```
+
+### Example: Regex Match
+
+```yaml
+destinationsToWatch:
+  - type: ExternalSecret
+    externalSecret:
+      labelSelectors:
+        matchLabels: {}
+    matchStrategy:
+      path: "spec.dataFrom.find.name.regexp"
+      conditions:
+        - value: "prod/.*"
+          operation: RegularExpression
+```
+
+## Wait Strategy
+
+The Wait Strategy controls how the Reloader waits between reconciling multiple destination objects. This is useful to avoid overwhelming the cluster with simultaneous rollouts.
+
+Two modes are available: time-based and condition-based. They can be used independently or together.
+
+### Time-Based Wait
+
+Waits for a fixed duration before reconciling the next object.
+
+```yaml
+destinationsToWatch:
+  - type: Deployment
+    deployment:
+      labelSelectors:
+        matchLabels: {}
+    waitStrategy:
+      time: 30s
+```
+
+### Condition-Based Wait
+
+Waits until a specific condition is met on the destination object before moving to the next one. Supports retry logic with configurable timeout and maximum retries.
+
+```yaml
+destinationsToWatch:
+  - type: Deployment
+    deployment:
+      labelSelectors:
+        matchLabels: {}
+    waitStrategy:
+      condition:
+        type: Available
+        status: "True"
+        retryTimeout: 10s
+        maxRetries: 18
+```
+
+In this example, the Reloader waits for the `Available` condition to be `True` before proceeding, checking every 10 seconds up to 18 times (3 minutes total).
+
+### Condition Fields
+
+| Field              | Description                                                              | Required |
+|--------------------|--------------------------------------------------------------------------|----------|
+| `type`             | The name of the condition to wait for.                                   | Yes      |
+| `status`           | The expected status of the condition.                                    | No       |
+| `message`          | Optional message to match.                                               | No       |
+| `reason`           | Optional reason to match.                                                | No       |
+| `retryTimeout`     | Period to wait before each retry.                                        | No       |
+| `maxRetries`       | Maximum number of retries for the condition.                             | No       |
+| `transitionedAfter`| Only accept this condition after a given period from the transition time. | No       |
+| `updatedAfter`     | Only accept this condition after a given period from the update time.     | No       |
+
+### Example: Wait for Fresh Condition
+
+```yaml
+waitStrategy:
+  condition:
+    type: Available
+    status: "True"
+    transitionedAfter: 5s
+    retryTimeout: 10s
+    maxRetries: 30
+```
+
+This ensures the `Available` condition was set at least 5 seconds ago, avoiding stale conditions from a previous rollout.

docs/sources/kubernetes-configmap.md

@@ -0,0 +1,65 @@
+# Kubernetes ConfigMap
+
+This guide explains how to set up Kubernetes ConfigMap events as a notification source for the Reloader component in your environment.
+
+## Overview
+
+The Reloader receives events from Kubernetes ConfigMap by using permissions from an authorized kubeconfig/service account to create a `watch` over ConfigMaps in the target cluster.
+
+This works identically to the [Kubernetes Secret](kubernetes-secret.md) source, but watches ConfigMap resources instead.
+
+## Prerequisites
+
+* A valid service account / kubeconfig with `watch` permissions over ConfigMaps available in the cluster where `reloader` is installed.
+
+## Step 1: Configure Reloader
+
+Update your Reloader configuration to set up the Kubernetes ConfigMap listener.
+
+### Configuration Spec
+
+```yaml
+apiVersion: reloader.external-secrets.io/v1alpha1
+kind: Config
+metadata:
+  name: reloader-configmap-sample
+spec:
+  notificationSources:
+    - type: KubernetesConfigMap
+      kubernetesConfigMap:
+        serverURL: https://kubernetes.default.svc
+        # Auth configuration for the reloader
+        # If targeting the same cluster, this block is optional
+        auth:
+          # b64 encoded CaBundle for the service.
+          caBundle: Cg==
+          # ref for a kubeconfig file in a form of a Kubernetes Secret
+          kubeConfigRef:
+            secretRef:
+              name: reloader-kubeconfig
+              key: kubeconfig
+              namespace: reloader-system
+          # ref for a token in a form of a Kubernetes Secret
+          tokenRef:
+            secretRef:
+                name: reloader-token
+                key: token
+                namespace: reloader-system
+          # ref for a Kubernetes Service Account
+          serviceAccountRef:
+            name: reloader
+            namespace: reloader-system
+        # Optional: narrow down which ConfigMaps to watch
+        labelSelector:
+          matchLabels:
+            managed-by: reloader
+  destinationsToWatch:
+    - type: Deployment
+      deployment:
+        labelSelectors:
+          matchLabels: {}
+```
+
+## Processing Events
+
+Because reloader is only on a `watch` over ConfigMaps, it means that `get`, `list` and `watch` operations are not monitored.

docs/sources/tcp-socket.md

@@ -0,0 +1,99 @@
+# TCP Socket
+
+This guide explains how to set up a generic TCP Socket as a notification source for the Reloader component in your environment. Using a TCP Socket allows you to trigger secret rotation events from any system capable of sending data over a TCP connection.
+
+## Overview
+
+The Reloader opens a TCP listener that receives JSON payloads from external systems. When a payload arrives, the Reloader extracts the secret identifier from a configurable path in the payload and triggers reconciliation on matching destinations.
+
+This is the same mechanism used internally by the [Hashicorp Vault](vault.md) source, exposed as a standalone source for custom integrations.
+
+## Prerequisites
+
+- Kubernetes cluster with Reloader installed.
+- Load Balancer Service Provider available for your Kubernetes cluster (if the sender is external).
+
+## Step 1: Configure Reloader
+
+Update your Reloader configuration to set up the TCP Socket listener.
+
+### Configuration Spec
+
+```yaml
+apiVersion: reloader.external-secrets.io/v1alpha1
+kind: Config
+metadata:
+  name: reloader-tcp-sample
+  labels:
+    app.kubernetes.io/name: reloader
+spec:
+  notificationSources:
+    - type: TCPSocket
+      tcpSocket:
+        host: 0.0.0.0
+        port: 8000
+        identifierPathOnPayload: "0.data.ObjectName"
+  destinationsToWatch:
+    - type: ExternalSecret
+      externalSecret:
+        labelSelectors:
+          matchLabels: {}
+```
+
+- **`host`**: The host interface to bind the listener to. Use `0.0.0.0` to listen on all interfaces.
+- **`port`**: The port on which the listener will accept connections. Defaults to `8000`.
+- **`identifierPathOnPayload`**: The key in the payload used to identify the secret. Defaults to `0.data.ObjectName` if not specified.
+
+In this configuration:
+
+- The listener will accept events at `tcp://<host>:8000`.
+
+## Step 2: Expose the TCP Listener
+
+To allow external systems to send events to the TCP listener, you need to expose it outside the Kubernetes cluster.
+
+### Create a Kubernetes Service
+
+Create a LoadBalancer Service to expose the Reloader TCP listener.
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: reloader-tcp-socket
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: reloader
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000
+```
+
+## Processing Events
+
+When a message arrives on the TCP socket, the Reloader extracts the secret identifier from the payload using the configured `identifierPathOnPayload` path. It then matches the identifier against the configured destinations and triggers reconciliation on any matching resources.
+
+### Example Payload
+
+The default identifier path expects a payload structured like:
+
+```json
+{
+  "0": {
+    "data": {
+      "ObjectName": "my-secret"
+    }
+  }
+}
+```
+
+You can customize `identifierPathOnPayload` to match the structure of your system's payload.
+
+## Enabling External Traffic
+
+To ensure the TCP listener is accessible:
+
+- **Network Policies**: If using network policies, allow inbound traffic to the TCP listener.
+- **Firewall Rules**: Configure firewalls or security groups to allow traffic from the sending system to your cluster.