backport of commit 021bd76 (#20800)

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

website/content/docs/platform/k8s/vso/helm.mdx

@@ -13,7 +13,7 @@ The chart is customizable using
 [Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
 
 <!-- DO NOT EDIT. The docs below are generated automatically. To change, edit
-                  the vault-secrets-operator repo's values.yaml: file commit=7236932478761438b62db3f21634308b3baaf891 -->
+                  the vault-secrets-operator repo's values.yaml: file commit=b9d4f2f8ac86bdc1de71ca101ea8ed1c4e8a429e -->
 <!-- codegen: start -->
 
 ## Top-Level Stanzas
@@ -60,6 +60,8 @@ Use these links to navigate to a particular top-level stanza.
 
         - `memory` ((#v-controller-kuberbacproxy-resources-requests-memory)) (`string: 64Mi`)
 
+  - `annotations` ((#v-controller-annotations)) - This value defines additional annotations for the deployment. This should be formatted as a YAML object (map)
+
   - `manager` ((#v-controller-manager)) - Settings related to the vault-secrets-operator container.
 
     - `image` ((#v-controller-manager-image)) - Image sets the repo and tag of the vault-secrets-operator image to use for the controller.
@@ -69,14 +71,18 @@ Use these links to navigate to a particular top-level stanza.
       - `tag` ((#v-controller-manager-image-tag)) (`string: 0.1.0-beta`)
 
     - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that
-      are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens around their TTLs as well as the
-      ability to renew.
+      are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens
+      throughout their TTLs as well as the ability to renew.
+      Persistence is only useful in the context of Dynamic Secrets, so "none" is an okay default.
 
       - `persistenceModel` ((#v-controller-manager-clientcache-persistencemodel)) (`string: ""`) - Defines the `-client-cache-persistence-model` which caches+persists vault tokens.
         Valid values are:
         "none" - in-memory client cache is used, no tokens are persisted.
         "direct-unencrypted" - in-memory client cache is persisted, unencrypted. This is NOT recommended for any production workload.
         "direct-encrypted" - in-memory client cache is persisted encrypted using the Vault Transit engine.
+        Note: It is strongly encouraged to not use the setting of "direct-unencrypted" in
+        production due to the potential of vault tokens being leaked as they would then be stored
+        in clear text.
 
         default: "none"
 
@@ -86,6 +92,33 @@ Use these links to navigate to a particular top-level stanza.
 
         default: 10000
 
+      - `storageEncryption` ((#v-controller-manager-clientcache-storageencryption)) - StorageEncryption provides the necessary configuration to encrypt the client storage
+        cache within Kubernetes objects using (required) Vault Transit Engine.
+        This should only be configured when client cache persistence with encryption is enabled.
+        E.g. `controller.manager.clientCache.persistenceMode=direct-encrypted`
+        Typically there should only ever be one VaultAuth configured with
+        StorageEncryption in the Cluster.
+
+        - `vaultConnectionRef` ((#v-controller-manager-clientcache-storageencryption-vaultconnectionref)) (`string: default`) - Vault Connection Ref to be used by the VaultAuthMethod.
+          Default setting will use the default VaultConnectionRef, which must also be configured.
+
+        - `namespace` ((#v-controller-manager-clientcache-storageencryption-namespace)) (`string: ""`) - Vault namespace for the VaultAuthMethod
+
+        - `keyName` ((#v-controller-manager-clientcache-storageencryption-keyname)) (`string: ""`) - KeyName to use for encrypt/decrypt operations via Vault Transit.
+
+        - `mount` ((#v-controller-manager-clientcache-storageencryption-mount)) (`string: kubernetes`) - Mount path for the Vault Auth Method.
+
+        - `role` ((#v-controller-manager-clientcache-storageencryption-role)) (`string: ""`) - Vault Auth Role to use
+          This is a required field and must be setup in Vault prior to deploying the helm chart
+          if `defaultAuthMethod.enabled=true`
+
+        - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-serviceaccount)) (`string: ""`) - Kubernetes ServiceAccount associated with the default Vault Auth Role
+          default: Operator's ServiceAccount
+
+        - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
+
+        - `transitMount` ((#v-controller-manager-clientcache-storageencryption-transitmount)) (`string: ""`) - Mount path for the Transit Method.
+
     - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles by the controller.
       NOTE: Currently this is only used by the reconciliation logic of dynamic secrets.
 
@@ -203,8 +236,38 @@ Use these links to navigate to a particular top-level stanza.
 
     - `serviceAccount` ((#v-defaultauthmethod-kubernetes-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount associated with the default Vault Auth Role
 
-    - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience is required and should match whatever the audience
-      of the vault kubernetes auth role has set.
+    - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
+
+  - `jwt` ((#v-defaultauthmethod-jwt)) - Vault JWT auth method specific configuration
+
+    - `role` ((#v-defaultauthmethod-jwt-role)) (`string: ""`) - Vault Auth Role to use
+      This is a required field and must be setup in Vault prior to deploying the helm chart
+      if `jwtAuthMethod.enabled=true`
+
+    - `secretName` ((#v-defaultauthmethod-jwt-secretname)) (`string: ""`) - One of the following is required prior to deploying the helm chart
+      - K8s secret that contains the JWT
+      - K8s service account if a service account JWT is used as a Vault JWT auth token and needs generating by VSO
+
+      Name of Kubernetes Secret that has the Vault JWT auth token.
+      The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and must exist in the namespace
+      of any consuming VaultSecret CR. This is a required field if a JWT token is provided.
+
+    - `serviceAccount` ((#v-defaultauthmethod-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT
+
+    - `tokenAudiences` ((#v-defaultauthmethod-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if applicable
+      of the Vault JWT auth role.
+
+  - `appRole` ((#v-defaultauthmethod-approle)) - AppRole auth method specific configuration
+
+    - `roleId` ((#v-defaultauthmethod-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
+      This is a required field when using appRole and must be setup in Vault prior to deploying the
+      helm chart.
+
+    - `secretName` ((#v-defaultauthmethod-approle-secretname)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with Vault.
+      The Kubernetes Secret must contain a key named `id` which references the AppRole Role's
+      SecretID, and must exist in the namespace of any consuming VaultSecret CR.
+      This is a required field when using appRole and must be setup in Vault prior to deploying the
+      helm chart.
 
   - `params` ((#v-defaultauthmethod-params)) (`string: ""`) - Params to use when authenticating to Vault
     params: |