wip: grpc provider

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Dockerfile

@@ -2,6 +2,7 @@ FROM gcr.io/distroless/static
 ARG TARGETOS
 ARG TARGETARCH
 COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets
+COPY bin/providers /bin
 
 # Run as UID for nobody
 USER 65534

Makefile

@@ -157,7 +157,7 @@ fmt: lint.check ## Ensure consistent code style
 generate: ## Generate code and crds
 	protoc --go_out=. --go_opt=paths=source_relative \
 		--go-grpc_out=. --go-grpc_opt=paths=source_relative \
-		./pkg/plugin/grpc/plugin.proto
+		./pkg/plugin/grpc/provider.proto
 	./cmd/provider/generate.sh
 	go generate ./cmd/provider/provider.go.tmpl
 	@./hack/crd.generate.sh $(BUNDLE_DIR) $(CRD_DIR)
@@ -241,7 +241,7 @@ docker.image:
 docker.tag:
 	@echo $(IMAGE_TAG)
 
-docker.build: $(addprefix build-,$(ARCH)) ## Build the docker image
+docker.build: $(addprefix build-,$(ARCH)) $(addprefix build-provider-,$(ARCH)) ## Build the docker image
 	@$(INFO) docker build
 	@docker build -f $(DOCKERFILE) . $(DOCKER_BUILD_ARGS) -t $(IMAGE_NAME):$(IMAGE_TAG)
 	@$(OK) docker build

apis/externalsecrets/v1beta1/provider_schema.go

@@ -17,6 +17,7 @@ package v1beta1
 import (
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"sync"
 )
 
@@ -30,7 +31,7 @@ func init() {
 // Register a store backend type. Register panics if a
 // backend with the same store is already registered.
 func Register(s Provider, storeSpec *SecretStoreProvider) {
-	storeName, err := getProviderName(storeSpec)
+	storeName, err := GetProviderName(storeSpec)
 	if err != nil {
 		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
 	}
@@ -48,7 +49,7 @@ func Register(s Provider, storeSpec *SecretStoreProvider) {
 // ForceRegister adds to store schema, overwriting a store if
 // already registered. Should only be used for testing.
 func ForceRegister(s Provider, storeSpec *SecretStoreProvider) {
-	storeName, err := getProviderName(storeSpec)
+	storeName, err := GetProviderName(storeSpec)
 	if err != nil {
 		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
 	}
@@ -66,6 +67,18 @@ func GetProviderByName(name string) (Provider, bool) {
 	return f, ok
 }
 
+// Returns the provider name for a registerd provider
+func GetProviderNameByType(p Provider) (string, bool) {
+	buildlock.RLock()
+	for name, v := range builder {
+		if reflect.TypeOf(v) == reflect.TypeOf(p) {
+			return name, true
+		}
+	}
+	buildlock.RUnlock()
+	return "", false
+}
+
 // GetProvider returns the provider from the generic store.
 func GetProvider(s GenericStore) (Provider, error) {
 	if s == nil {
@@ -75,7 +88,7 @@ func GetProvider(s GenericStore) (Provider, error) {
 	if spec == nil {
 		return nil, fmt.Errorf("no spec found in %#v", s)
 	}
-	storeName, err := getProviderName(spec.Provider)
+	storeName, err := GetProviderName(spec.Provider)
 	if err != nil {
 		return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err)
 	}
@@ -91,9 +104,9 @@ func GetProvider(s GenericStore) (Provider, error) {
 	return f, nil
 }
 
-// getProviderName returns the name of the configured provider
+// GetProviderName returns the name of the configured provider
 // or an error if the provider is not configured.
-func getProviderName(storeSpec *SecretStoreProvider) (string, error) {
+func GetProviderName(storeSpec *SecretStoreProvider) (string, error) {
 	storeBytes, err := json.Marshal(storeSpec)
 	if err != nil || storeBytes == nil {
 		return "", fmt.Errorf("failed to marshal store spec: %w", err)

apis/externalsecrets/v1beta1/secretstore_grpc_types.go

@@ -0,0 +1,21 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
+type GRPCProvider struct {
+	// GRPC server URL
+	URL string `json:"url"`
+}

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -109,6 +109,9 @@ type SecretStoreProvider struct {
 	// +optional
 	Webhook *WebhookProvider `json:"webhook,omitempty"`
 
+	// experimental GRPC provider
+	GRPC *GRPCProvider `json:"grpc,omitempty"`
+
 	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
 	// +optional
 	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -1170,6 +1170,21 @@ func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GRPCProvider) DeepCopyInto(out *GRPCProvider) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCProvider.
+func (in *GRPCProvider) DeepCopy() *GRPCProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GRPCProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeneratorRef) DeepCopyInto(out *GeneratorRef) {
 	*out = *in
@@ -1713,6 +1728,11 @@ func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
 		*out = new(WebhookProvider)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.GRPC != nil {
+		in, out := &in.GRPC, &out.GRPC
+		*out = new(GRPCProvider)
+		**out = **in
+	}
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(KubernetesProvider)

cmd/provider/generate.sh

@@ -19,6 +19,11 @@ for providerdir in $(find $DIR/../../pkg/provider -maxdepth 1 -mindepth 1 | grep
         continue;
     fi
 
+    # grpc should not be generated
+    if [ "${provider}" == "grpc" ]; then
+        continue;
+    fi
+
     pkgname=$provider
     # override import path, because provider directory structure is not standardised
     if [ "${provider}" == "gcp" ]; then

cmd/provider/generated/akeyless/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-akeyless"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/alibaba/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-alibaba"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/aws/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-aws"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/azure/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-azure/keyvault"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/doppler/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-doppler"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/fake/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-fake"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/gcp/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-gcp/secretmanager"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/gitlab/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-gitlab"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/ibm/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-ibm"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/keepersecurity/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-keepersecurity"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/kubernetes/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-kubernetes"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/onepassword/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-onepassword"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/oracle/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-oracle"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/scaleway/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-scaleway"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/senhasegura/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-senhasegura"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/vault/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-vault"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/generated/webhook/main.go

@@ -1,30 +1,15 @@
 package main
 
 import (
-	"context"
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-webhook"
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-	shell "github.com/external-secrets/external-secrets/pkg/provider-shell"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
-	pc, err := p.NewClient(context.Background(), &v1beta1.SecretStore{
-		Spec: v1beta1.SecretStoreSpec{
-			Provider: &v1beta1.SecretStoreProvider{
-				Webhook: &v1beta1.WebhookProvider{
-					URL: "http://example.com",
-				},
-			},
-		},
-	}, nil, "")
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
 	if err != nil {
 		panic(err)
 	}
-	fmt.Printf("starting server")
-	shell.RunServer(pc)
 }

cmd/provider/provider.go.tmpl

@@ -1,13 +1,15 @@
 package main
 
 import (
-	"fmt"
-
 	provider "github.com/external-secrets/external-secrets-provider-PROVIDER_NAME"
+	"github.com/external-secrets/external-secrets/pkg/remote/shell"
 )
 
 //go:generate ./generate.sh $GOFILE
 func main() {
-	p := provider.Provider{}
-	fmt.Printf("provider cap: %#v\n", p.Capabilities())
+	p := &provider.Provider{}
+	err := shell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
 }

cmd/provider/server.go

@@ -0,0 +1,14 @@
+package main
+
+import (
+	webhook "github.com/external-secrets/external-secrets-provider-webhook"
+	pshell "github.com/external-secrets/external-secrets/pkg/remote/shell"
+)
+
+func main() {
+	p := &webhook.Provider{}
+	err := pshell.RunServer(p)
+	if err != nil {
+		panic(err)
+	}
+}

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -2401,6 +2401,15 @@ spec:
                     required:
                     - auth
                     type: object
+                  grpc:
+                    description: experimental GRPC provider
+                    properties:
+                      url:
+                        description: GRPC server URL
+                        type: string
+                    required:
+                    - url
+                    type: object
                   ibm:
                     description: IBM configures this store to sync secrets using IBM
                       Cloud provider

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -2401,6 +2401,15 @@ spec:
                     required:
                     - auth
                     type: object
+                  grpc:
+                    description: experimental GRPC provider
+                    properties:
+                      url:
+                        description: GRPC server URL
+                        type: string
+                    required:
+                    - url
+                    type: object
                   ibm:
                     description: IBM configures this store to sync secrets using IBM
                       Cloud provider

deploy/crds/bundle.yaml

@@ -2210,6 +2210,15 @@ spec:
                       required:
                         - auth
                       type: object
+                    grpc:
+                      description: experimental GRPC provider
+                      properties:
+                        url:
+                          description: GRPC server URL
+                          type: string
+                      required:
+                        - url
+                      type: object
                     ibm:
                       description: IBM configures this store to sync secrets using IBM Cloud provider
                       properties:
@@ -5786,6 +5795,15 @@ spec:
                       required:
                         - auth
                       type: object
+                    grpc:
+                      description: experimental GRPC provider
+                      properties:
+                        url:
+                          description: GRPC server URL
+                          type: string
+                      required:
+                        - url
+                      type: object
                     ibm:
                       description: IBM configures this store to sync secrets using IBM Cloud provider
                       properties:

go.mod

@@ -11,6 +11,7 @@ replace (
 	github.com/external-secrets/external-secrets-provider-fake => ./pkg/provider/fake
 	github.com/external-secrets/external-secrets-provider-gcp => ./pkg/provider/gcp
 	github.com/external-secrets/external-secrets-provider-gitlab => ./pkg/provider/gitlab
+	github.com/external-secrets/external-secrets-provider-grpc => ./pkg/provider/grpc
 	github.com/external-secrets/external-secrets-provider-ibm => ./pkg/provider/ibm
 	github.com/external-secrets/external-secrets-provider-keepersecurity => ./pkg/provider/keepersecurity
 	github.com/external-secrets/external-secrets-provider-kubernetes => ./pkg/provider/kubernetes
@@ -88,7 +89,7 @@ require (
 	golang.org/x/oauth2 v0.8.0
 	google.golang.org/api v0.124.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	google.golang.org/grpc v1.55.0 // indirect
+	google.golang.org/grpc v1.55.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	grpc.go4.org v0.0.0-20170609214715-11d0a25b4919 // indirect
 	k8s.io/api v0.27.2
@@ -128,6 +129,7 @@ require (
 	github.com/aliyun/credentials-go v1.2.7 // indirect
 	github.com/avast/retry-go/v4 v4.3.4 // indirect
 	github.com/clbanning/mxj/v2 v2.5.7 // indirect
+	github.com/external-secrets/external-secrets-provider-grpc v0.0.0-00010101000000-000000000000 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/go-playground/validator/v10 v10.14.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
@@ -252,7 +254,7 @@ require (
 	golang.org/x/tools v0.9.1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.30.0
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect

pkg/controllers/externalsecret/externalsecret_controller_secret.go

@@ -30,8 +30,11 @@ import (
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+
 	// Loading registered providers.
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+	"github.com/external-secrets/external-secrets/pkg/remote"
+
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
@@ -40,11 +43,16 @@ import (
 
 // getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
 func (r *Reconciler) getProviderSecretData(ctx context.Context, externalSecret *esv1beta1.ExternalSecret) (map[string][]byte, error) {
+	// TODO: make this switchable via flag
+	getProvider := esv1beta1.GetProvider
+	if true {
+		getProvider = remote.GetProvider
+	}
 	// We MUST NOT create multiple instances of a provider client (mostly due to limitations with GCP)
 	// Clientmanager keeps track of the client instances
 	// that are created during the fetching process and closes clients
 	// if needed.
-	mgr := secretstore.NewManager(r.Client, r.ControllerClass, r.EnableFloodGate)
+	mgr := secretstore.NewManager(r.Client, r.ControllerClass, r.EnableFloodGate, getProvider)
 	defer mgr.Close(ctx)
 
 	providerData := make(map[string][]byte)

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -34,6 +34,7 @@ import (
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	v1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+	"github.com/external-secrets/external-secrets/pkg/remote"
 )
 
 const (
@@ -62,7 +63,12 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	log := r.Log.WithValues("pushsecret", req.NamespacedName)
 	var ps esapi.PushSecret
 	err := r.Get(ctx, req.NamespacedName, &ps)
-	mgr := secretstore.NewManager(r.Client, r.ControllerClass, false)
+
+	getProvider := v1beta1.GetProvider
+	if true {
+		getProvider = remote.GetProvider
+	}
+	mgr := secretstore.NewManager(r.Client, r.ControllerClass, false, getProvider)
 	defer mgr.Close(ctx)
 	if apierrors.IsNotFound(err) {
 		return ctrl.Result{}, nil

pkg/controllers/secretstore/client_manager.go

@@ -47,6 +47,7 @@ type Manager struct {
 	client          client.Client
 	controllerClass string
 	enableFloodgate bool
+	getProvider     getProviderFunc
 
 	// store clients by provider type
 	clientMap map[clientKey]*clientVal
@@ -61,12 +62,15 @@ type clientVal struct {
 	store  esv1beta1.GenericStore
 }
 
+type getProviderFunc func(store esv1beta1.GenericStore) (esv1beta1.Provider, error)
+
 // New constructs a new manager with defaults.
-func NewManager(ctrlClient client.Client, controllerClass string, enableFloodgate bool) *Manager {
+func NewManager(ctrlClient client.Client, controllerClass string, enableFloodgate bool, getProvider getProviderFunc) *Manager {
 	log := ctrl.Log.WithName("clientmanager")
 	return &Manager{
 		log:             log,
 		client:          ctrlClient,
+		getProvider:     getProvider,
 		controllerClass: controllerClass,
 		enableFloodgate: enableFloodgate,
 		clientMap:       make(map[clientKey]*clientVal),
@@ -74,7 +78,7 @@ func NewManager(ctrlClient client.Client, controllerClass string, enableFloodgat
 }
 
 func (m *Manager) GetFromStore(ctx context.Context, store esv1beta1.GenericStore, namespace string) (esv1beta1.SecretsClient, error) {
-	storeProvider, err := esv1beta1.GetProvider(store)
+	storeProvider, err := m.getProvider(store)
 	if err != nil {
 		return nil, err
 	}

pkg/controllers/secretstore/common.go

@@ -25,6 +25,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	"github.com/external-secrets/external-secrets/pkg/remote"
 )
 
 const (
@@ -67,7 +68,11 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 		log.Error(err, "unable to validate store")
 		return ctrl.Result{}, err
 	}
-	storeProvider, err := esapi.GetProvider(ss)
+	getProvider := esapi.GetProvider
+	if true {
+		getProvider = remote.GetProvider
+	}
+	storeProvider, err := getProvider(ss)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -90,7 +95,12 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 // if it fails sets a condition and writes events.
 func validateStore(ctx context.Context, namespace, controllerClass string, store esapi.GenericStore,
 	client client.Client, recorder record.EventRecorder) error {
-	mgr := NewManager(client, controllerClass, false)
+
+	getProvider := esapi.GetProvider
+	if true {
+		getProvider = remote.GetProvider
+	}
+	mgr := NewManager(client, controllerClass, false, getProvider)
 	defer mgr.Close(ctx)
 	cl, err := mgr.GetFromStore(ctx, store, namespace)
 	if err != nil {

pkg/plugin/grpc/plugin.pb.go

@@ -1,361 +0,0 @@
-//
-//Copyright © 2022 ESO Maintainer Team
-//
-//Licensed under the Apache License, Version 2.0 (the "License");
-//you may not use this file except in compliance with the License.
-//You may obtain a copy of the License at
-//
-//http://www.apache.org/licenses/LICENSE-2.0
-//
-//Unless required by applicable law or agreed to in writing, software
-//distributed under the License is distributed on an "AS IS" BASIS,
-//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//See the License for the specific language governing permissions and
-//limitations under the License.
-
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
-// source: pkg/plugin/grpc/plugin.proto
-
-package plugin_proto
-
-import (
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-type RemoteRef struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Key                string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
-	MetadataPolicy     string `protobuf:"bytes,2,opt,name=metadataPolicy,proto3" json:"metadataPolicy,omitempty"`
-	Property           string `protobuf:"bytes,3,opt,name=property,proto3" json:"property,omitempty"`
-	Version            string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
-	ConversionStrategy string `protobuf:"bytes,5,opt,name=conversionStrategy,proto3" json:"conversionStrategy,omitempty"`
-	DecodingStrategy   string `protobuf:"bytes,6,opt,name=decodingStrategy,proto3" json:"decodingStrategy,omitempty"`
-}
-
-func (x *RemoteRef) Reset() {
-	*x = RemoteRef{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *RemoteRef) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*RemoteRef) ProtoMessage() {}
-
-func (x *RemoteRef) ProtoReflect() protoreflect.Message {
-	mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use RemoteRef.ProtoReflect.Descriptor instead.
-func (*RemoteRef) Descriptor() ([]byte, []int) {
-	return file_pkg_plugin_grpc_plugin_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *RemoteRef) GetKey() string {
-	if x != nil {
-		return x.Key
-	}
-	return ""
-}
-
-func (x *RemoteRef) GetMetadataPolicy() string {
-	if x != nil {
-		return x.MetadataPolicy
-	}
-	return ""
-}
-
-func (x *RemoteRef) GetProperty() string {
-	if x != nil {
-		return x.Property
-	}
-	return ""
-}
-
-func (x *RemoteRef) GetVersion() string {
-	if x != nil {
-		return x.Version
-	}
-	return ""
-}
-
-func (x *RemoteRef) GetConversionStrategy() string {
-	if x != nil {
-		return x.ConversionStrategy
-	}
-	return ""
-}
-
-func (x *RemoteRef) GetDecodingStrategy() string {
-	if x != nil {
-		return x.DecodingStrategy
-	}
-	return ""
-}
-
-type GetSecretRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	RemoteRef *RemoteRef `protobuf:"bytes,1,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
-}
-
-func (x *GetSecretRequest) Reset() {
-	*x = GetSecretRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *GetSecretRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetSecretRequest) ProtoMessage() {}
-
-func (x *GetSecretRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetSecretRequest.ProtoReflect.Descriptor instead.
-func (*GetSecretRequest) Descriptor() ([]byte, []int) {
-	return file_pkg_plugin_grpc_plugin_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *GetSecretRequest) GetRemoteRef() *RemoteRef {
-	if x != nil {
-		return x.RemoteRef
-	}
-	return nil
-}
-
-type GetSecretReply struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Secret []byte `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
-	Error  string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
-}
-
-func (x *GetSecretReply) Reset() {
-	*x = GetSecretReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *GetSecretReply) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetSecretReply) ProtoMessage() {}
-
-func (x *GetSecretReply) ProtoReflect() protoreflect.Message {
-	mi := &file_pkg_plugin_grpc_plugin_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetSecretReply.ProtoReflect.Descriptor instead.
-func (*GetSecretReply) Descriptor() ([]byte, []int) {
-	return file_pkg_plugin_grpc_plugin_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *GetSecretReply) GetSecret() []byte {
-	if x != nil {
-		return x.Secret
-	}
-	return nil
-}
-
-func (x *GetSecretReply) GetError() string {
-	if x != nil {
-		return x.Error
-	}
-	return ""
-}
-
-var File_pkg_plugin_grpc_plugin_proto protoreflect.FileDescriptor
-
-var file_pkg_plugin_grpc_plugin_proto_rawDesc = []byte{
-	0x0a, 0x1c, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x67, 0x72, 0x70,
-	0x63, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
-	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x22, 0xd7, 0x01, 0x0a, 0x09, 0x52, 0x65, 0x6d, 0x6f, 0x74,
-	0x65, 0x52, 0x65, 0x66, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x26, 0x0a, 0x0e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e,
-	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1a,
-	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x12, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x69,
-	0x6f, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x12, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72, 0x61,
-	0x74, 0x65, 0x67, 0x79, 0x12, 0x2a, 0x0a, 0x10, 0x64, 0x65, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67,
-	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10,
-	0x64, 0x65, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79,
-	0x22, 0x43, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65,
-	0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
-	0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x52, 0x65, 0x66, 0x22, 0x3e, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72,
-	0x65, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x63, 0x72, 0x65,
-	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12,
-	0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x65, 0x72, 0x72, 0x6f, 0x72, 0x32, 0x50, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
-	0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x12, 0x3f, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63,
-	0x72, 0x65, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74,
-	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e,
-	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
-	0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x87, 0x01, 0x0a, 0x23, 0x69, 0x6f, 0x2e, 0x65,
-	0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2d, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x2e,
-	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x42,
-	0x13, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x49, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2d, 0x73, 0x65, 0x63, 0x72,
-	0x65, 0x74, 0x73, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2d, 0x73, 0x65, 0x63,
-	0x72, 0x65, 0x74, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f,
-	0x67, 0x72, 0x70, 0x63, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
-
-var (
-	file_pkg_plugin_grpc_plugin_proto_rawDescOnce sync.Once
-	file_pkg_plugin_grpc_plugin_proto_rawDescData = file_pkg_plugin_grpc_plugin_proto_rawDesc
-)
-
-func file_pkg_plugin_grpc_plugin_proto_rawDescGZIP() []byte {
-	file_pkg_plugin_grpc_plugin_proto_rawDescOnce.Do(func() {
-		file_pkg_plugin_grpc_plugin_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_plugin_grpc_plugin_proto_rawDescData)
-	})
-	return file_pkg_plugin_grpc_plugin_proto_rawDescData
-}
-
-var file_pkg_plugin_grpc_plugin_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
-var file_pkg_plugin_grpc_plugin_proto_goTypes = []interface{}{
-	(*RemoteRef)(nil),        // 0: plugin.RemoteRef
-	(*GetSecretRequest)(nil), // 1: plugin.GetSecretRequest
-	(*GetSecretReply)(nil),   // 2: plugin.GetSecretReply
-}
-var file_pkg_plugin_grpc_plugin_proto_depIdxs = []int32{
-	0, // 0: plugin.GetSecretRequest.remoteRef:type_name -> plugin.RemoteRef
-	1, // 1: plugin.SecretsClient.GetSecret:input_type -> plugin.GetSecretRequest
-	2, // 2: plugin.SecretsClient.GetSecret:output_type -> plugin.GetSecretReply
-	2, // [2:3] is the sub-list for method output_type
-	1, // [1:2] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
-}
-
-func init() { file_pkg_plugin_grpc_plugin_proto_init() }
-func file_pkg_plugin_grpc_plugin_proto_init() {
-	if File_pkg_plugin_grpc_plugin_proto != nil {
-		return
-	}
-	if !protoimpl.UnsafeEnabled {
-		file_pkg_plugin_grpc_plugin_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RemoteRef); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_pkg_plugin_grpc_plugin_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetSecretRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_pkg_plugin_grpc_plugin_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetSecretReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_pkg_plugin_grpc_plugin_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   3,
-			NumExtensions: 0,
-			NumServices:   1,
-		},
-		GoTypes:           file_pkg_plugin_grpc_plugin_proto_goTypes,
-		DependencyIndexes: file_pkg_plugin_grpc_plugin_proto_depIdxs,
-		MessageInfos:      file_pkg_plugin_grpc_plugin_proto_msgTypes,
-	}.Build()
-	File_pkg_plugin_grpc_plugin_proto = out.File
-	file_pkg_plugin_grpc_plugin_proto_rawDesc = nil
-	file_pkg_plugin_grpc_plugin_proto_goTypes = nil
-	file_pkg_plugin_grpc_plugin_proto_depIdxs = nil
-}

pkg/plugin/grpc/plugin.proto

@@ -1,48 +0,0 @@
-/*
-Copyright © 2022 ESO Maintainer Team
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-syntax = "proto3";
-
-option go_package = "github.com/external-secrets/external-secrets/pkg/plugin/grpc/plugin.proto";
-option java_multiple_files = true;
-option java_package = "io.external-secrets.provider.plugin";
-option java_outer_classname = "ProviderPluginProto";
-
-package plugin;
-
-service SecretsClient {
-  // GetSecret returns a single secret from the provider
-	// if GetSecret returns an error with type NoSecretError
-	// then the secret entry will be deleted depending on the deletionPolicy.
-  rpc GetSecret (GetSecretRequest) returns (GetSecretReply) {}
-}
-
-message RemoteRef {
-  string key = 1;
-  string metadataPolicy = 2;
-  string property = 3;
-  string version = 4;
-  string conversionStrategy = 5;
-  string decodingStrategy = 6;
-}
-
-message GetSecretRequest {
-  RemoteRef remoteRef = 1;
-}
-
-message GetSecretReply {
-  bytes secret = 1;
-  string error = 2;
-}

pkg/plugin/grpc/plugin_grpc.pb.go

@@ -1,111 +0,0 @@
-// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
-// versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
-// source: pkg/plugin/grpc/plugin.proto
-
-package plugin_proto
-
-import (
-	context "context"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-)
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.32.0 or later.
-const _ = grpc.SupportPackageIsVersion7
-
-// SecretsClientClient is the client API for SecretsClient service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
-type SecretsClientClient interface {
-	// GetSecret returns a single secret from the provider
-	// if GetSecret returns an error with type NoSecretError
-	// then the secret entry will be deleted depending on the deletionPolicy.
-	GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretReply, error)
-}
-
-type secretsClientClient struct {
-	cc grpc.ClientConnInterface
-}
-
-func NewSecretsClientClient(cc grpc.ClientConnInterface) SecretsClientClient {
-	return &secretsClientClient{cc}
-}
-
-func (c *secretsClientClient) GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretReply, error) {
-	out := new(GetSecretReply)
-	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/GetSecret", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// SecretsClientServer is the server API for SecretsClient service.
-// All implementations must embed UnimplementedSecretsClientServer
-// for forward compatibility
-type SecretsClientServer interface {
-	// GetSecret returns a single secret from the provider
-	// if GetSecret returns an error with type NoSecretError
-	// then the secret entry will be deleted depending on the deletionPolicy.
-	GetSecret(context.Context, *GetSecretRequest) (*GetSecretReply, error)
-	mustEmbedUnimplementedSecretsClientServer()
-}
-
-// UnimplementedSecretsClientServer must be embedded to have forward compatible implementations.
-type UnimplementedSecretsClientServer struct {
-}
-
-func (UnimplementedSecretsClientServer) GetSecret(context.Context, *GetSecretRequest) (*GetSecretReply, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetSecret not implemented")
-}
-func (UnimplementedSecretsClientServer) mustEmbedUnimplementedSecretsClientServer() {}
-
-// UnsafeSecretsClientServer may be embedded to opt out of forward compatibility for this service.
-// Use of this interface is not recommended, as added methods to SecretsClientServer will
-// result in compilation errors.
-type UnsafeSecretsClientServer interface {
-	mustEmbedUnimplementedSecretsClientServer()
-}
-
-func RegisterSecretsClientServer(s grpc.ServiceRegistrar, srv SecretsClientServer) {
-	s.RegisterService(&SecretsClient_ServiceDesc, srv)
-}
-
-func _SecretsClient_GetSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(GetSecretRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(SecretsClientServer).GetSecret(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/plugin.SecretsClient/GetSecret",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SecretsClientServer).GetSecret(ctx, req.(*GetSecretRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-// SecretsClient_ServiceDesc is the grpc.ServiceDesc for SecretsClient service.
-// It's only intended for direct use with grpc.RegisterService,
-// and not to be introspected or modified (even as a copy)
-var SecretsClient_ServiceDesc = grpc.ServiceDesc{
-	ServiceName: "plugin.SecretsClient",
-	HandlerType: (*SecretsClientServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "GetSecret",
-			Handler:    _SecretsClient_GetSecret_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "pkg/plugin/grpc/plugin.proto",
-}

pkg/plugin/grpc/provider.pb.go

@@ -0,0 +1,1226 @@
+//
+//Copyright © 2022 ESO Maintainer Team
+//
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v3.21.12
+// source: pkg/plugin/grpc/provider.proto
+
+package plugin_proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type GetSecretRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Store     []byte     `protobuf:"bytes,1,opt,name=store,proto3" json:"store,omitempty"`
+	Namespace string     `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	RemoteRef *RemoteRef `protobuf:"bytes,3,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
+}
+
+func (x *GetSecretRequest) Reset() {
+	*x = GetSecretRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetSecretRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetSecretRequest) ProtoMessage() {}
+
+func (x *GetSecretRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetSecretRequest.ProtoReflect.Descriptor instead.
+func (*GetSecretRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GetSecretRequest) GetStore() []byte {
+	if x != nil {
+		return x.Store
+	}
+	return nil
+}
+
+func (x *GetSecretRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *GetSecretRequest) GetRemoteRef() *RemoteRef {
+	if x != nil {
+		return x.RemoteRef
+	}
+	return nil
+}
+
+type GetSecretReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Secret []byte `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
+	Error  string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *GetSecretReply) Reset() {
+	*x = GetSecretReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetSecretReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetSecretReply) ProtoMessage() {}
+
+func (x *GetSecretReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetSecretReply.ProtoReflect.Descriptor instead.
+func (*GetSecretReply) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GetSecretReply) GetSecret() []byte {
+	if x != nil {
+		return x.Secret
+	}
+	return nil
+}
+
+func (x *GetSecretReply) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type PushSecretRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Store     []byte         `protobuf:"bytes,1,opt,name=store,proto3" json:"store,omitempty"`
+	Namespace string         `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	Secret    []byte         `protobuf:"bytes,3,opt,name=secret,proto3" json:"secret,omitempty"`
+	RemoteRef *PushRemoteRef `protobuf:"bytes,4,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
+}
+
+func (x *PushSecretRequest) Reset() {
+	*x = PushSecretRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PushSecretRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PushSecretRequest) ProtoMessage() {}
+
+func (x *PushSecretRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PushSecretRequest.ProtoReflect.Descriptor instead.
+func (*PushSecretRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *PushSecretRequest) GetStore() []byte {
+	if x != nil {
+		return x.Store
+	}
+	return nil
+}
+
+func (x *PushSecretRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *PushSecretRequest) GetSecret() []byte {
+	if x != nil {
+		return x.Secret
+	}
+	return nil
+}
+
+func (x *PushSecretRequest) GetRemoteRef() *PushRemoteRef {
+	if x != nil {
+		return x.RemoteRef
+	}
+	return nil
+}
+
+type PushSecretReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *PushSecretReply) Reset() {
+	*x = PushSecretReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PushSecretReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PushSecretReply) ProtoMessage() {}
+
+func (x *PushSecretReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PushSecretReply.ProtoReflect.Descriptor instead.
+func (*PushSecretReply) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *PushSecretReply) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type DeleteSecretRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Store     []byte         `protobuf:"bytes,1,opt,name=store,proto3" json:"store,omitempty"`
+	Namespace string         `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	RemoteRef *PushRemoteRef `protobuf:"bytes,3,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
+}
+
+func (x *DeleteSecretRequest) Reset() {
+	*x = DeleteSecretRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DeleteSecretRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteSecretRequest) ProtoMessage() {}
+
+func (x *DeleteSecretRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteSecretRequest.ProtoReflect.Descriptor instead.
+func (*DeleteSecretRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *DeleteSecretRequest) GetStore() []byte {
+	if x != nil {
+		return x.Store
+	}
+	return nil
+}
+
+func (x *DeleteSecretRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *DeleteSecretRequest) GetRemoteRef() *PushRemoteRef {
+	if x != nil {
+		return x.RemoteRef
+	}
+	return nil
+}
+
+type DeleteSecretReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *DeleteSecretReply) Reset() {
+	*x = DeleteSecretReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DeleteSecretReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteSecretReply) ProtoMessage() {}
+
+func (x *DeleteSecretReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteSecretReply.ProtoReflect.Descriptor instead.
+func (*DeleteSecretReply) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *DeleteSecretReply) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type GetSecretMapRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Store     []byte     `protobuf:"bytes,1,opt,name=store,proto3" json:"store,omitempty"`
+	Namespace string     `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	RemoteRef *RemoteRef `protobuf:"bytes,3,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
+}
+
+func (x *GetSecretMapRequest) Reset() {
+	*x = GetSecretMapRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetSecretMapRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetSecretMapRequest) ProtoMessage() {}
+
+func (x *GetSecretMapRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetSecretMapRequest.ProtoReflect.Descriptor instead.
+func (*GetSecretMapRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *GetSecretMapRequest) GetStore() []byte {
+	if x != nil {
+		return x.Store
+	}
+	return nil
+}
+
+func (x *GetSecretMapRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *GetSecretMapRequest) GetRemoteRef() *RemoteRef {
+	if x != nil {
+		return x.RemoteRef
+	}
+	return nil
+}
+
+type GetSecretMapReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Data  map[string][]byte `protobuf:"bytes,9,rep,name=data,proto3" json:"data,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Error string            `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *GetSecretMapReply) Reset() {
+	*x = GetSecretMapReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetSecretMapReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetSecretMapReply) ProtoMessage() {}
+
+func (x *GetSecretMapReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetSecretMapReply.ProtoReflect.Descriptor instead.
+func (*GetSecretMapReply) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GetSecretMapReply) GetData() map[string][]byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
+func (x *GetSecretMapReply) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type GetAllSecretsRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Store     []byte              `protobuf:"bytes,1,opt,name=store,proto3" json:"store,omitempty"`
+	Namespace string              `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	RemoteRef *ExternalSecretFind `protobuf:"bytes,3,opt,name=remoteRef,proto3" json:"remoteRef,omitempty"`
+}
+
+func (x *GetAllSecretsRequest) Reset() {
+	*x = GetAllSecretsRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetAllSecretsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetAllSecretsRequest) ProtoMessage() {}
+
+func (x *GetAllSecretsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetAllSecretsRequest.ProtoReflect.Descriptor instead.
+func (*GetAllSecretsRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *GetAllSecretsRequest) GetStore() []byte {
+	if x != nil {
+		return x.Store
+	}
+	return nil
+}
+
+func (x *GetAllSecretsRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *GetAllSecretsRequest) GetRemoteRef() *ExternalSecretFind {
+	if x != nil {
+		return x.RemoteRef
+	}
+	return nil
+}
+
+type GetAllSecretsReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Data  map[string][]byte `protobuf:"bytes,1,rep,name=data,proto3" json:"data,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Error string            `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *GetAllSecretsReply) Reset() {
+	*x = GetAllSecretsReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetAllSecretsReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetAllSecretsReply) ProtoMessage() {}
+
+func (x *GetAllSecretsReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetAllSecretsReply.ProtoReflect.Descriptor instead.
+func (*GetAllSecretsReply) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *GetAllSecretsReply) GetData() map[string][]byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
+func (x *GetAllSecretsReply) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type RemoteRef struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Key                string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	MetadataPolicy     string `protobuf:"bytes,2,opt,name=metadataPolicy,proto3" json:"metadataPolicy,omitempty"`
+	Property           string `protobuf:"bytes,3,opt,name=property,proto3" json:"property,omitempty"`
+	Version            string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
+	ConversionStrategy string `protobuf:"bytes,5,opt,name=conversionStrategy,proto3" json:"conversionStrategy,omitempty"`
+	DecodingStrategy   string `protobuf:"bytes,6,opt,name=decodingStrategy,proto3" json:"decodingStrategy,omitempty"`
+}
+
+func (x *RemoteRef) Reset() {
+	*x = RemoteRef{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RemoteRef) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RemoteRef) ProtoMessage() {}
+
+func (x *RemoteRef) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RemoteRef.ProtoReflect.Descriptor instead.
+func (*RemoteRef) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *RemoteRef) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *RemoteRef) GetMetadataPolicy() string {
+	if x != nil {
+		return x.MetadataPolicy
+	}
+	return ""
+}
+
+func (x *RemoteRef) GetProperty() string {
+	if x != nil {
+		return x.Property
+	}
+	return ""
+}
+
+func (x *RemoteRef) GetVersion() string {
+	if x != nil {
+		return x.Version
+	}
+	return ""
+}
+
+func (x *RemoteRef) GetConversionStrategy() string {
+	if x != nil {
+		return x.ConversionStrategy
+	}
+	return ""
+}
+
+func (x *RemoteRef) GetDecodingStrategy() string {
+	if x != nil {
+		return x.DecodingStrategy
+	}
+	return ""
+}
+
+type PushRemoteRef struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	RemoteKey string `protobuf:"bytes,1,opt,name=remoteKey,proto3" json:"remoteKey,omitempty"`
+	Property  string `protobuf:"bytes,2,opt,name=property,proto3" json:"property,omitempty"`
+}
+
+func (x *PushRemoteRef) Reset() {
+	*x = PushRemoteRef{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[11]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PushRemoteRef) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PushRemoteRef) ProtoMessage() {}
+
+func (x *PushRemoteRef) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[11]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PushRemoteRef.ProtoReflect.Descriptor instead.
+func (*PushRemoteRef) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *PushRemoteRef) GetRemoteKey() string {
+	if x != nil {
+		return x.RemoteKey
+	}
+	return ""
+}
+
+func (x *PushRemoteRef) GetProperty() string {
+	if x != nil {
+		return x.Property
+	}
+	return ""
+}
+
+type ExternalSecretFind struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Path               string            `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+	FindNameRegexp     string            `protobuf:"bytes,2,opt,name=findNameRegexp,proto3" json:"findNameRegexp,omitempty"`
+	Tags               map[string]string `protobuf:"bytes,3,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	ConversionStrategy string            `protobuf:"bytes,4,opt,name=conversionStrategy,proto3" json:"conversionStrategy,omitempty"`
+	DecodingStrategy   string            `protobuf:"bytes,5,opt,name=decodingStrategy,proto3" json:"decodingStrategy,omitempty"`
+}
+
+func (x *ExternalSecretFind) Reset() {
+	*x = ExternalSecretFind{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[12]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ExternalSecretFind) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExternalSecretFind) ProtoMessage() {}
+
+func (x *ExternalSecretFind) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_plugin_grpc_provider_proto_msgTypes[12]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExternalSecretFind.ProtoReflect.Descriptor instead.
+func (*ExternalSecretFind) Descriptor() ([]byte, []int) {
+	return file_pkg_plugin_grpc_provider_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *ExternalSecretFind) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+func (x *ExternalSecretFind) GetFindNameRegexp() string {
+	if x != nil {
+		return x.FindNameRegexp
+	}
+	return ""
+}
+
+func (x *ExternalSecretFind) GetTags() map[string]string {
+	if x != nil {
+		return x.Tags
+	}
+	return nil
+}
+
+func (x *ExternalSecretFind) GetConversionStrategy() string {
+	if x != nil {
+		return x.ConversionStrategy
+	}
+	return ""
+}
+
+func (x *ExternalSecretFind) GetDecodingStrategy() string {
+	if x != nil {
+		return x.DecodingStrategy
+	}
+	return ""
+}
+
+var File_pkg_plugin_grpc_provider_proto protoreflect.FileDescriptor
+
+var file_pkg_plugin_grpc_provider_proto_rawDesc = []byte{
+	0x0a, 0x1e, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x67, 0x72, 0x70,
+	0x63, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x06, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x22, 0x77, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05,
+	0x73, 0x74, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x73, 0x74, 0x6f,
+	0x72, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
+	0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x52, 0x65, 0x6d,
+	0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65,
+	0x66, 0x22, 0x3e, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65,
+	0x70, 0x6c, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x06, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f,
+	0x72, 0x22, 0x94, 0x01, 0x0a, 0x11, 0x50, 0x75, 0x73, 0x68, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x12, 0x1c, 0x0a,
+	0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x73, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x12, 0x33, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
+	0x50, 0x75, 0x73, 0x68, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x52, 0x09, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x22, 0x27, 0x0a, 0x0f, 0x50, 0x75, 0x73, 0x68,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f,
+	0x72, 0x22, 0x7e, 0x0a, 0x13, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x6f, 0x72,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x12, 0x1c,
+	0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x09,
+	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x15, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x50, 0x75, 0x73, 0x68, 0x52, 0x65, 0x6d,
+	0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65,
+	0x66, 0x22, 0x29, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x7a, 0x0a, 0x13,
+	0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61,
+	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74,
+	0x65, 0x52, 0x65, 0x66, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6c, 0x75,
+	0x67, 0x69, 0x6e, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x52, 0x09, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x22, 0x9b, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x37,
+	0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x70,
+	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4d,
+	0x61, 0x70, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x2e, 0x44, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x37, 0x0a,
+	0x09, 0x44, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c,
+	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x84, 0x01, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x41, 0x6c,
+	0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x14, 0x0a, 0x05, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05,
+	0x73, 0x74, 0x6f, 0x72, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
+	0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
+	0x61, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
+	0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69,
+	0x6e, 0x64, 0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x22, 0x9d, 0x01,
+	0x0a, 0x12, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52,
+	0x65, 0x70, 0x6c, 0x79, 0x12, 0x38, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x24, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x41,
+	0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x2e, 0x44,
+	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x14,
+	0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x1a, 0x37, 0x0a, 0x09, 0x44, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xd7, 0x01,
+	0x0a, 0x09, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x12, 0x10, 0x0a, 0x03, 0x6b,
+	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x26, 0x0a,
+	0x0e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x50,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74,
+	0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74,
+	0x79, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x12, 0x63,
+	0x6f, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67,
+	0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x2a, 0x0a, 0x10, 0x64,
+	0x65, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x64, 0x65, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x53,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x49, 0x0a, 0x0d, 0x50, 0x75, 0x73, 0x68, 0x52,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x52, 0x65, 0x66, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x6d, 0x6f,
+	0x74, 0x65, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x6d,
+	0x6f, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72,
+	0x74, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x70, 0x65, 0x72,
+	0x74, 0x79, 0x22, 0x9f, 0x02, 0x0a, 0x12, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74,
+	0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x26, 0x0a,
+	0x0e, 0x66, 0x69, 0x6e, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x67, 0x65, 0x78, 0x70, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x66, 0x69, 0x6e, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52,
+	0x65, 0x67, 0x65, 0x78, 0x70, 0x12, 0x38, 0x0a, 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x45, 0x78, 0x74,
+	0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x2e,
+	0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x04, 0x74, 0x61, 0x67, 0x73, 0x12,
+	0x2e, 0x0a, 0x12, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72,
+	0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x63, 0x6f, 0x6e,
+	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12,
+	0x2a, 0x0a, 0x10, 0x64, 0x65, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x61, 0x74,
+	0x65, 0x67, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x64, 0x65, 0x63, 0x6f, 0x64,
+	0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x1a, 0x37, 0x0a, 0x09, 0x54,
+	0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x3a, 0x02, 0x38, 0x01, 0x32, 0xf5, 0x02, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
+	0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x12, 0x3f, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e,
+	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
+	0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x73, 0x68, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x19, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x50,
+	0x75, 0x73, 0x68, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x17, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x50, 0x75, 0x73, 0x68, 0x53, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x0c, 0x44,
+	0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x1b, 0x2e, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x65,
+	0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x4d, 0x61, 0x70, 0x12, 0x1b, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47,
+	0x65, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x19, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12,
+	0x4b, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
+	0x12, 0x1c, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a,
+	0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x87, 0x01, 0x0a,
+	0x23, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2d, 0x73, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x42, 0x13, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x50, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x49, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c,
+	0x2d, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61,
+	0x6c, 0x2d, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_pkg_plugin_grpc_provider_proto_rawDescOnce sync.Once
+	file_pkg_plugin_grpc_provider_proto_rawDescData = file_pkg_plugin_grpc_provider_proto_rawDesc
+)
+
+func file_pkg_plugin_grpc_provider_proto_rawDescGZIP() []byte {
+	file_pkg_plugin_grpc_provider_proto_rawDescOnce.Do(func() {
+		file_pkg_plugin_grpc_provider_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_plugin_grpc_provider_proto_rawDescData)
+	})
+	return file_pkg_plugin_grpc_provider_proto_rawDescData
+}
+
+var file_pkg_plugin_grpc_provider_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
+var file_pkg_plugin_grpc_provider_proto_goTypes = []interface{}{
+	(*GetSecretRequest)(nil),     // 0: plugin.GetSecretRequest
+	(*GetSecretReply)(nil),       // 1: plugin.GetSecretReply
+	(*PushSecretRequest)(nil),    // 2: plugin.PushSecretRequest
+	(*PushSecretReply)(nil),      // 3: plugin.PushSecretReply
+	(*DeleteSecretRequest)(nil),  // 4: plugin.DeleteSecretRequest
+	(*DeleteSecretReply)(nil),    // 5: plugin.DeleteSecretReply
+	(*GetSecretMapRequest)(nil),  // 6: plugin.GetSecretMapRequest
+	(*GetSecretMapReply)(nil),    // 7: plugin.GetSecretMapReply
+	(*GetAllSecretsRequest)(nil), // 8: plugin.GetAllSecretsRequest
+	(*GetAllSecretsReply)(nil),   // 9: plugin.GetAllSecretsReply
+	(*RemoteRef)(nil),            // 10: plugin.RemoteRef
+	(*PushRemoteRef)(nil),        // 11: plugin.PushRemoteRef
+	(*ExternalSecretFind)(nil),   // 12: plugin.ExternalSecretFind
+	nil,                          // 13: plugin.GetSecretMapReply.DataEntry
+	nil,                          // 14: plugin.GetAllSecretsReply.DataEntry
+	nil,                          // 15: plugin.ExternalSecretFind.TagsEntry
+}
+var file_pkg_plugin_grpc_provider_proto_depIdxs = []int32{
+	10, // 0: plugin.GetSecretRequest.remoteRef:type_name -> plugin.RemoteRef
+	11, // 1: plugin.PushSecretRequest.remoteRef:type_name -> plugin.PushRemoteRef
+	11, // 2: plugin.DeleteSecretRequest.remoteRef:type_name -> plugin.PushRemoteRef
+	10, // 3: plugin.GetSecretMapRequest.remoteRef:type_name -> plugin.RemoteRef
+	13, // 4: plugin.GetSecretMapReply.data:type_name -> plugin.GetSecretMapReply.DataEntry
+	12, // 5: plugin.GetAllSecretsRequest.remoteRef:type_name -> plugin.ExternalSecretFind
+	14, // 6: plugin.GetAllSecretsReply.data:type_name -> plugin.GetAllSecretsReply.DataEntry
+	15, // 7: plugin.ExternalSecretFind.tags:type_name -> plugin.ExternalSecretFind.TagsEntry
+	0,  // 8: plugin.SecretsClient.GetSecret:input_type -> plugin.GetSecretRequest
+	2,  // 9: plugin.SecretsClient.PushSecret:input_type -> plugin.PushSecretRequest
+	4,  // 10: plugin.SecretsClient.DeleteSecret:input_type -> plugin.DeleteSecretRequest
+	6,  // 11: plugin.SecretsClient.GetSecretMap:input_type -> plugin.GetSecretMapRequest
+	8,  // 12: plugin.SecretsClient.GetAllSecrets:input_type -> plugin.GetAllSecretsRequest
+	1,  // 13: plugin.SecretsClient.GetSecret:output_type -> plugin.GetSecretReply
+	3,  // 14: plugin.SecretsClient.PushSecret:output_type -> plugin.PushSecretReply
+	5,  // 15: plugin.SecretsClient.DeleteSecret:output_type -> plugin.DeleteSecretReply
+	7,  // 16: plugin.SecretsClient.GetSecretMap:output_type -> plugin.GetSecretMapReply
+	9,  // 17: plugin.SecretsClient.GetAllSecrets:output_type -> plugin.GetAllSecretsReply
+	13, // [13:18] is the sub-list for method output_type
+	8,  // [8:13] is the sub-list for method input_type
+	8,  // [8:8] is the sub-list for extension type_name
+	8,  // [8:8] is the sub-list for extension extendee
+	0,  // [0:8] is the sub-list for field type_name
+}
+
+func init() { file_pkg_plugin_grpc_provider_proto_init() }
+func file_pkg_plugin_grpc_provider_proto_init() {
+	if File_pkg_plugin_grpc_provider_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_pkg_plugin_grpc_provider_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetSecretRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetSecretReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PushSecretRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PushSecretReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DeleteSecretRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DeleteSecretReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetSecretMapRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetSecretMapReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetAllSecretsRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetAllSecretsReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*RemoteRef); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PushRemoteRef); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_plugin_grpc_provider_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ExternalSecretFind); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_pkg_plugin_grpc_provider_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   16,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_pkg_plugin_grpc_provider_proto_goTypes,
+		DependencyIndexes: file_pkg_plugin_grpc_provider_proto_depIdxs,
+		MessageInfos:      file_pkg_plugin_grpc_provider_proto_msgTypes,
+	}.Build()
+	File_pkg_plugin_grpc_provider_proto = out.File
+	file_pkg_plugin_grpc_provider_proto_rawDesc = nil
+	file_pkg_plugin_grpc_provider_proto_goTypes = nil
+	file_pkg_plugin_grpc_provider_proto_depIdxs = nil
+}

pkg/plugin/grpc/provider.proto

@@ -0,0 +1,114 @@
+/*
+Copyright © 2022 ESO Maintainer Team
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+syntax = "proto3";
+
+option go_package = "github.com/external-secrets/external-secrets/pkg/plugin/grpc/plugin.proto";
+option java_multiple_files = true;
+option java_package = "io.external-secrets.provider.plugin";
+option java_outer_classname = "ProviderPluginProto";
+
+package plugin;
+
+service SecretsClient {
+  // GetSecret returns a single secret from the provider
+  // if GetSecret returns an error with type NoSecretError
+  // then the secret entry will be deleted depending on the deletionPolicy.
+  rpc GetSecret(GetSecretRequest) returns (GetSecretReply) {}
+
+  // PushSecret will write a single secret into the provider
+  rpc PushSecret(PushSecretRequest) returns (PushSecretReply) {}
+
+  // DeleteSecret will delete the secret from a provider
+  rpc DeleteSecret(DeleteSecretRequest) returns (DeleteSecretReply) {}
+
+  // GetSecretMap returns multiple k/v pairs from the provider
+  rpc GetSecretMap(GetSecretMapRequest) returns (GetSecretMapReply) {}
+
+  // GetAllSecrets returns multiple k/v pairs from the provider
+  rpc GetAllSecrets(GetAllSecretsRequest) returns (GetAllSecretsReply) {}
+}
+
+message GetSecretRequest {
+  bytes store = 1;
+  string namespace = 2;
+  RemoteRef remoteRef = 3;
+}
+
+message GetSecretReply {
+  bytes secret = 1;
+  string error = 2;
+}
+
+message PushSecretRequest {
+  bytes store = 1;
+  string namespace = 2;
+  bytes secret = 3;
+  PushRemoteRef remoteRef = 4;
+}
+
+message PushSecretReply { string error = 1; }
+
+message DeleteSecretRequest {
+  bytes store = 1;
+  string namespace = 2;
+  PushRemoteRef remoteRef = 3;
+}
+
+message DeleteSecretReply { string error = 1; }
+
+message GetSecretMapRequest {
+  bytes store = 1;
+  string namespace = 2;
+  RemoteRef remoteRef = 3;
+}
+
+message GetSecretMapReply {
+  map<string, bytes> data = 9;
+  string error = 2;
+}
+
+message GetAllSecretsRequest {
+  bytes store = 1;
+  string namespace = 2;
+  ExternalSecretFind remoteRef = 3;
+}
+
+message GetAllSecretsReply {
+  map<string, bytes> data = 1;
+  string error = 2;
+}
+
+message RemoteRef {
+  string key = 1;
+  string metadataPolicy = 2;
+  string property = 3;
+  string version = 4;
+  string conversionStrategy = 5;
+  string decodingStrategy = 6;
+}
+
+message PushRemoteRef {
+  string remoteKey = 1;
+  string property = 2;
+}
+
+message ExternalSecretFind {
+  string path = 1;
+  string findNameRegexp = 2;
+  map<string, string> tags = 3;
+  string conversionStrategy = 4;
+  string decodingStrategy = 5;
+}

pkg/plugin/grpc/provider_grpc.pb.go

@@ -0,0 +1,263 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v3.21.12
+// source: pkg/plugin/grpc/provider.proto
+
+package plugin_proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// SecretsClientClient is the client API for SecretsClient service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type SecretsClientClient interface {
+	// GetSecret returns a single secret from the provider
+	// if GetSecret returns an error with type NoSecretError
+	// then the secret entry will be deleted depending on the deletionPolicy.
+	GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretReply, error)
+	// PushSecret will write a single secret into the provider
+	PushSecret(ctx context.Context, in *PushSecretRequest, opts ...grpc.CallOption) (*PushSecretReply, error)
+	// DeleteSecret will delete the secret from a provider
+	DeleteSecret(ctx context.Context, in *DeleteSecretRequest, opts ...grpc.CallOption) (*DeleteSecretReply, error)
+	// GetSecretMap returns multiple k/v pairs from the provider
+	GetSecretMap(ctx context.Context, in *GetSecretMapRequest, opts ...grpc.CallOption) (*GetSecretMapReply, error)
+	// GetAllSecrets returns multiple k/v pairs from the provider
+	GetAllSecrets(ctx context.Context, in *GetAllSecretsRequest, opts ...grpc.CallOption) (*GetAllSecretsReply, error)
+}
+
+type secretsClientClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSecretsClientClient(cc grpc.ClientConnInterface) SecretsClientClient {
+	return &secretsClientClient{cc}
+}
+
+func (c *secretsClientClient) GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretReply, error) {
+	out := new(GetSecretReply)
+	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/GetSecret", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *secretsClientClient) PushSecret(ctx context.Context, in *PushSecretRequest, opts ...grpc.CallOption) (*PushSecretReply, error) {
+	out := new(PushSecretReply)
+	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/PushSecret", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *secretsClientClient) DeleteSecret(ctx context.Context, in *DeleteSecretRequest, opts ...grpc.CallOption) (*DeleteSecretReply, error) {
+	out := new(DeleteSecretReply)
+	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/DeleteSecret", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *secretsClientClient) GetSecretMap(ctx context.Context, in *GetSecretMapRequest, opts ...grpc.CallOption) (*GetSecretMapReply, error) {
+	out := new(GetSecretMapReply)
+	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/GetSecretMap", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *secretsClientClient) GetAllSecrets(ctx context.Context, in *GetAllSecretsRequest, opts ...grpc.CallOption) (*GetAllSecretsReply, error) {
+	out := new(GetAllSecretsReply)
+	err := c.cc.Invoke(ctx, "/plugin.SecretsClient/GetAllSecrets", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SecretsClientServer is the server API for SecretsClient service.
+// All implementations must embed UnimplementedSecretsClientServer
+// for forward compatibility
+type SecretsClientServer interface {
+	// GetSecret returns a single secret from the provider
+	// if GetSecret returns an error with type NoSecretError
+	// then the secret entry will be deleted depending on the deletionPolicy.
+	GetSecret(context.Context, *GetSecretRequest) (*GetSecretReply, error)
+	// PushSecret will write a single secret into the provider
+	PushSecret(context.Context, *PushSecretRequest) (*PushSecretReply, error)
+	// DeleteSecret will delete the secret from a provider
+	DeleteSecret(context.Context, *DeleteSecretRequest) (*DeleteSecretReply, error)
+	// GetSecretMap returns multiple k/v pairs from the provider
+	GetSecretMap(context.Context, *GetSecretMapRequest) (*GetSecretMapReply, error)
+	// GetAllSecrets returns multiple k/v pairs from the provider
+	GetAllSecrets(context.Context, *GetAllSecretsRequest) (*GetAllSecretsReply, error)
+	mustEmbedUnimplementedSecretsClientServer()
+}
+
+// UnimplementedSecretsClientServer must be embedded to have forward compatible implementations.
+type UnimplementedSecretsClientServer struct {
+}
+
+func (UnimplementedSecretsClientServer) GetSecret(context.Context, *GetSecretRequest) (*GetSecretReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetSecret not implemented")
+}
+func (UnimplementedSecretsClientServer) PushSecret(context.Context, *PushSecretRequest) (*PushSecretReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PushSecret not implemented")
+}
+func (UnimplementedSecretsClientServer) DeleteSecret(context.Context, *DeleteSecretRequest) (*DeleteSecretReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteSecret not implemented")
+}
+func (UnimplementedSecretsClientServer) GetSecretMap(context.Context, *GetSecretMapRequest) (*GetSecretMapReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetSecretMap not implemented")
+}
+func (UnimplementedSecretsClientServer) GetAllSecrets(context.Context, *GetAllSecretsRequest) (*GetAllSecretsReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetAllSecrets not implemented")
+}
+func (UnimplementedSecretsClientServer) mustEmbedUnimplementedSecretsClientServer() {}
+
+// UnsafeSecretsClientServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SecretsClientServer will
+// result in compilation errors.
+type UnsafeSecretsClientServer interface {
+	mustEmbedUnimplementedSecretsClientServer()
+}
+
+func RegisterSecretsClientServer(s grpc.ServiceRegistrar, srv SecretsClientServer) {
+	s.RegisterService(&SecretsClient_ServiceDesc, srv)
+}
+
+func _SecretsClient_GetSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetSecretRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsClientServer).GetSecret(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.SecretsClient/GetSecret",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsClientServer).GetSecret(ctx, req.(*GetSecretRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SecretsClient_PushSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PushSecretRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsClientServer).PushSecret(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.SecretsClient/PushSecret",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsClientServer).PushSecret(ctx, req.(*PushSecretRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SecretsClient_DeleteSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteSecretRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsClientServer).DeleteSecret(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.SecretsClient/DeleteSecret",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsClientServer).DeleteSecret(ctx, req.(*DeleteSecretRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SecretsClient_GetSecretMap_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetSecretMapRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsClientServer).GetSecretMap(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.SecretsClient/GetSecretMap",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsClientServer).GetSecretMap(ctx, req.(*GetSecretMapRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SecretsClient_GetAllSecrets_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetAllSecretsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsClientServer).GetAllSecrets(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.SecretsClient/GetAllSecrets",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsClientServer).GetAllSecrets(ctx, req.(*GetAllSecretsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// SecretsClient_ServiceDesc is the grpc.ServiceDesc for SecretsClient service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SecretsClient_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "plugin.SecretsClient",
+	HandlerType: (*SecretsClientServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetSecret",
+			Handler:    _SecretsClient_GetSecret_Handler,
+		},
+		{
+			MethodName: "PushSecret",
+			Handler:    _SecretsClient_PushSecret_Handler,
+		},
+		{
+			MethodName: "DeleteSecret",
+			Handler:    _SecretsClient_DeleteSecret_Handler,
+		},
+		{
+			MethodName: "GetSecretMap",
+			Handler:    _SecretsClient_GetSecretMap_Handler,
+		},
+		{
+			MethodName: "GetAllSecrets",
+			Handler:    _SecretsClient_GetAllSecrets_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "pkg/plugin/grpc/provider.proto",
+}

pkg/provider-shell/shell.go

@@ -1,71 +0,0 @@
-/*
-Copyright © 2022 ESO Maintainer Team
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package shell
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net"
-
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
-	"google.golang.org/grpc"
-)
-
-type Server struct {
-	pb.UnimplementedSecretsClientServer
-	secretsClient esapi.SecretsClient
-}
-
-func RunServer(secretsClient esapi.SecretsClient) error {
-	pluginServer := &Server{
-		secretsClient: secretsClient,
-	}
-	lis, err := net.Listen("unix", "/tmp/plugin.sock")
-	if err != nil {
-		return fmt.Errorf("failed to listen: %v", err)
-	}
-	defer lis.Close()
-	s := grpc.NewServer()
-	pb.RegisterSecretsClientServer(s, pluginServer)
-	log.Printf("server listening at %v", lis.Addr())
-	if err := s.Serve(lis); err != nil {
-		log.Fatalf("failed to serve: %v", err)
-	}
-	return nil
-}
-
-func (s *Server) GetSecret(ctx context.Context, req *pb.GetSecretRequest) (*pb.GetSecretReply, error) {
-	ref := esapi.ExternalSecretDataRemoteRef{
-		Key:                req.RemoteRef.Key,
-		MetadataPolicy:     esapi.ExternalSecretMetadataPolicy(req.RemoteRef.MetadataPolicy),
-		Property:           req.RemoteRef.Property,
-		Version:            req.RemoteRef.Version,
-		ConversionStrategy: esapi.ExternalSecretConversionStrategy(req.RemoteRef.ConversionStrategy),
-		DecodingStrategy:   esapi.ExternalSecretDecodingStrategy(req.RemoteRef.DecodingStrategy),
-	}
-	secret, err := s.secretsClient.GetSecret(ctx, ref)
-	if err != nil {
-		// TODO: handle NoSecret error on the client side
-		return &pb.GetSecretReply{
-			Error: err.Error(),
-		}, nil
-	}
-	return &pb.GetSecretReply{
-		Secret: secret,
-	}, nil
-}

pkg/provider/grpc/go.mod

@@ -0,0 +1,3 @@
+module github.com/external-secrets/external-secrets-provider-grpc
+
+go 1.20

pkg/provider/grpc/provider.go

@@ -0,0 +1,165 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package grpc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"time"
+
+	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+// https://github.com/external-secrets/external-secrets/issues/644
+var _ esv1beta1.SecretsClient = &GRPCSecretClient{}
+var _ esv1beta1.Provider = &Provider{}
+
+// Provider satisfies the provider interface.
+type Provider struct{}
+
+type GRPCSecretClient struct {
+	kube      client.Client
+	store     esv1beta1.GenericStore
+	namespace string
+	storeKind string
+
+	conn     *grpc.ClientConn
+	pbClient pb.SecretsClientClient
+}
+
+func init() {
+	esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
+		GRPC: &esv1beta1.GRPCProvider{},
+	})
+}
+
+// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
+func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
+	return esv1beta1.SecretStoreReadWrite
+}
+
+func (p *Provider) NewClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
+	grpcClient := &GRPCSecretClient{
+		kube:      kube,
+		store:     store,
+		namespace: namespace,
+		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
+	}
+	provider, err := getProvider(store)
+	if err != nil {
+		return nil, err
+	}
+
+	// Set up a connection to the server.
+	grpcClient.conn, err = grpc.Dial(provider.URL, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Fatalf("did not connect: %v", err)
+	}
+	grpcClient.pbClient = pb.NewSecretsClientClient(grpcClient.conn)
+
+	return grpcClient, nil
+}
+
+func (p *Provider) ValidateStore(_ esv1beta1.GenericStore) error {
+	return nil
+}
+
+func getProvider(store esv1beta1.GenericStore) (*esv1beta1.GRPCProvider, error) {
+	spc := store.GetSpec()
+	if spc == nil || spc.Provider == nil || spc.Provider.GRPC == nil {
+		return nil, fmt.Errorf("missing store provider webhook")
+	}
+	return spc.Provider.GRPC, nil
+}
+
+func (w *GRPCSecretClient) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
+// Not Implemented PushSecret.
+func (w *GRPCSecretClient) PushSecret(_ context.Context, _ []byte, _ esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
+// Empty GetAllSecrets.
+func (w *GRPCSecretClient) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
+func (w *GRPCSecretClient) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+
+	store := esv1beta1.SecretStore{
+		TypeMeta: v1.TypeMeta{
+			APIVersion: esv1beta1.SchemeGroupVersion.String(),
+			Kind:       esv1beta1.SecretStoreKind,
+		},
+		Spec: esv1beta1.SecretStoreSpec{
+			Provider: &esv1beta1.SecretStoreProvider{
+				Webhook: &esv1beta1.WebhookProvider{
+					URL: "http://httpbin.org/anything",
+				},
+			},
+		},
+	}
+	storeBytes, err := json.Marshal(store)
+	if err != nil {
+		return nil, err
+	}
+
+	res, err := w.pbClient.GetSecret(ctx, &pb.GetSecretRequest{
+		Store:     storeBytes,
+		Namespace: w.namespace,
+		RemoteRef: &pb.RemoteRef{
+			Key:                ref.Key,
+			Version:            ref.Version,
+			Property:           ref.Property,
+			MetadataPolicy:     string(ref.MetadataPolicy),
+			DecodingStrategy:   string(ref.DecodingStrategy),
+			ConversionStrategy: string(ref.ConversionStrategy),
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	log.Printf("secret=%s, err=%s", string(res.Secret), res.Error)
+	if res.Error != "" {
+		return nil, errors.New(res.Error)
+	}
+	return res.Secret, nil
+}
+
+func (w *GRPCSecretClient) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+	return nil, fmt.Errorf("GetSecretMap not implemented")
+}
+
+func (w *GRPCSecretClient) Close(_ context.Context) error {
+	return w.conn.Close()
+}
+
+func (w *GRPCSecretClient) Validate() (esv1beta1.ValidationResult, error) {
+	return esv1beta1.ValidationResultReady, nil
+}

pkg/provider/register/register.go

@@ -17,24 +17,23 @@ package register
 
 // packages imported here are registered to the controller schema.
 
-import (
-	_ "github.com/external-secrets/external-secrets-provider-akeyless"
-	_ "github.com/external-secrets/external-secrets-provider-alibaba"
-	_ "github.com/external-secrets/external-secrets-provider-aws"
-	_ "github.com/external-secrets/external-secrets-provider-azure/keyvault"
-	_ "github.com/external-secrets/external-secrets-provider-doppler"
-	_ "github.com/external-secrets/external-secrets-provider-fake"
-	_ "github.com/external-secrets/external-secrets-provider-gcp/secretmanager"
-	_ "github.com/external-secrets/external-secrets-provider-gitlab"
-	_ "github.com/external-secrets/external-secrets-provider-ibm"
-	_ "github.com/external-secrets/external-secrets-provider-keepersecurity"
-	_ "github.com/external-secrets/external-secrets-provider-kubernetes"
-	_ "github.com/external-secrets/external-secrets-provider-onepassword"
-	_ "github.com/external-secrets/external-secrets-provider-oracle"
-	_ "github.com/external-secrets/external-secrets-provider-scaleway"
-	_ "github.com/external-secrets/external-secrets-provider-senhasegura"
-	_ "github.com/external-secrets/external-secrets-provider-vault"
-	_ "github.com/external-secrets/external-secrets-provider-webhook"
-	_ "github.com/external-secrets/external-secrets-provider-yandex/certificatemanager"
-	_ "github.com/external-secrets/external-secrets-provider-yandex/lockbox"
-)
+// _ "github.com/external-secrets/external-secrets-provider-akeyless"
+// _ "github.com/external-secrets/external-secrets-provider-alibaba"
+// _ "github.com/external-secrets/external-secrets-provider-aws"
+// _ "github.com/external-secrets/external-secrets-provider-azure/keyvault"
+// _ "github.com/external-secrets/external-secrets-provider-doppler"
+// _ "github.com/external-secrets/external-secrets-provider-fake"
+// _ "github.com/external-secrets/external-secrets-provider-gcp/secretmanager"
+// _ "github.com/external-secrets/external-secrets-provider-gitlab"
+// _ "github.com/external-secrets/external-secrets-provider-grpc"
+// _ "github.com/external-secrets/external-secrets-provider-ibm"
+// _ "github.com/external-secrets/external-secrets-provider-keepersecurity"
+// _ "github.com/external-secrets/external-secrets-provider-kubernetes"
+// _ "github.com/external-secrets/external-secrets-provider-onepassword"
+// _ "github.com/external-secrets/external-secrets-provider-oracle"
+// _ "github.com/external-secrets/external-secrets-provider-scaleway"
+// _ "github.com/external-secrets/external-secrets-provider-senhasegura"
+// _ "github.com/external-secrets/external-secrets-provider-vault"
+// _ "github.com/external-secrets/external-secrets-provider-webhook"
+// _ "github.com/external-secrets/external-secrets-provider-yandex/certificatemanager"
+// _ "github.com/external-secrets/external-secrets-provider-yandex/lockbox"

pkg/remote/client.go

@@ -0,0 +1,155 @@
+package remote
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
+	"google.golang.org/grpc"
+)
+
+// Client is a small wrapper to map ESO SecretsClient to gRPC calls
+type Client struct {
+	store     esv1beta1.GenericStore
+	namespace string
+
+	conn       *grpc.ClientConn
+	grpcClient pb.SecretsClientClient
+}
+
+func (s *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
+	storeBytes, err := json.Marshal(s.store)
+	if err != nil {
+		return nil, err
+	}
+	res, err := s.grpcClient.GetSecret(ctx, &pb.GetSecretRequest{
+		Store:     storeBytes,
+		Namespace: s.namespace,
+		RemoteRef: &pb.RemoteRef{
+			Key:                ref.Key,
+			Property:           ref.Property,
+			Version:            ref.Version,
+			MetadataPolicy:     string(ref.MetadataPolicy),
+			ConversionStrategy: string(ref.ConversionStrategy),
+			DecodingStrategy:   string(ref.DecodingStrategy),
+		},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to rpc: %w", err)
+	}
+	log.Printf("rpc secret=%s, err=%s", string(res.Secret), res.Error)
+	return res.Secret, nil
+}
+
+func (s *Client) PushSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
+	storeBytes, err := json.Marshal(s.store)
+	if err != nil {
+		return err
+	}
+	res, err := s.grpcClient.PushSecret(ctx, &pb.PushSecretRequest{
+		Store:     storeBytes,
+		Namespace: s.namespace,
+		Secret:    value,
+		RemoteRef: &pb.PushRemoteRef{
+			RemoteKey: remoteRef.GetRemoteKey(),
+			Property:  remoteRef.GetProperty(),
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("unable to rpc: %w", err)
+	}
+	if res.Error != "" {
+		return fmt.Errorf("rpc error: %s", res.Error)
+	}
+	return nil
+}
+
+func (s *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	storeBytes, err := json.Marshal(s.store)
+	if err != nil {
+		return err
+	}
+	res, err := s.grpcClient.DeleteSecret(ctx, &pb.DeleteSecretRequest{
+		Store:     storeBytes,
+		Namespace: s.namespace,
+		RemoteRef: &pb.PushRemoteRef{
+			RemoteKey: remoteRef.GetRemoteKey(),
+			Property:  remoteRef.GetProperty(),
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("unable to rpc: %w", err)
+	}
+	if res.Error != "" {
+		return fmt.Errorf("rpc error: %s", res.Error)
+	}
+	return nil
+}
+
+func (s *Client) Validate() (esv1beta1.ValidationResult, error) {
+	return esv1beta1.ValidationResultUnknown, nil
+}
+
+func (s *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+	storeBytes, err := json.Marshal(s.store)
+	if err != nil {
+		return nil, err
+	}
+	res, err := s.grpcClient.GetSecretMap(ctx, &pb.GetSecretMapRequest{
+		Store:     storeBytes,
+		Namespace: s.namespace,
+		RemoteRef: &pb.RemoteRef{
+			Key:                ref.Key,
+			Property:           ref.Property,
+			Version:            ref.Version,
+			MetadataPolicy:     string(ref.MetadataPolicy),
+			ConversionStrategy: string(ref.ConversionStrategy),
+			DecodingStrategy:   string(ref.DecodingStrategy),
+		},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to rpc: %w", err)
+	}
+	if res.Error != "" {
+		return nil, fmt.Errorf("rpc error: %s", res.Error)
+	}
+	return res.Data, nil
+}
+
+func (s *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	storeBytes, err := json.Marshal(s.store)
+	if err != nil {
+		return nil, err
+	}
+
+	findRef := &pb.ExternalSecretFind{
+		Tags:               ref.Tags,
+		ConversionStrategy: string(ref.ConversionStrategy),
+		DecodingStrategy:   string(ref.DecodingStrategy),
+	}
+	if ref.Path != nil {
+		findRef.Path = *ref.Path
+	}
+	if ref.Name != nil {
+		findRef.FindNameRegexp = ref.Name.RegExp
+	}
+	res, err := s.grpcClient.GetAllSecrets(ctx, &pb.GetAllSecretsRequest{
+		Store:     storeBytes,
+		Namespace: s.namespace,
+		RemoteRef: findRef,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to rpc: %w", err)
+	}
+	if res.Error != "" {
+		return nil, fmt.Errorf("rpc error: %s", res.Error)
+	}
+	return res.Data, nil
+}
+
+func (s *Client) Close(ctx context.Context) error {
+	return s.conn.Close()
+}

pkg/remote/discovery/discovery.go

@@ -0,0 +1,56 @@
+package discovery
+
+import (
+	"log"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type Discovery struct {
+	watchDir   string
+	dirWatcher *fsnotify.Watcher
+}
+
+func New(watchDir string) (*Discovery, error) {
+	return &Discovery{
+		watchDir: watchDir,
+	}, nil
+}
+
+func (d *Discovery) Start() error {
+	var err error
+	d.dirWatcher, err = fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			select {
+			case event, ok := <-d.dirWatcher.Events:
+				if !ok {
+					return
+				}
+				log.Println("event:", event)
+				if event.Has(fsnotify.Create) {
+					log.Println("created file:", event.Name)
+				}
+				if event.Has(fsnotify.Remove) {
+					log.Println("removed file:", event.Name)
+				}
+
+			case err, ok := <-d.dirWatcher.Errors:
+				if !ok {
+					return
+				}
+				log.Println("error:", err)
+			}
+		}
+	}()
+
+	return d.dirWatcher.Add(d.watchDir)
+}
+
+func (d *Discovery) Close() error {
+	return d.dirWatcher.Close()
+}

pkg/remote/provider.go

@@ -0,0 +1,67 @@
+package remote
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type Provider struct{}
+
+var provider = &Provider{}
+
+func GetProvider(store esapi.GenericStore) (esapi.Provider, error) {
+	return provider, nil
+}
+
+// NewClient constructs a SecretsManager Provider
+func (p *Provider) NewClient(ctx context.Context, store esapi.GenericStore, kube client.Client, namespace string) (esapi.SecretsClient, error) {
+	spec := store.GetSpec()
+	if spec == nil {
+		return nil, errors.New("store spec is nil")
+	}
+	if spec.Provider == nil {
+		return nil, errors.New("store provider is nil")
+	}
+
+	providerName, err := esapi.GetProviderName(spec.Provider)
+	if err != nil {
+		return nil, errors.New("could not get provider name")
+	}
+
+	log.Printf("remote provider found providerName=%s\n", providerName)
+
+	addr := fmt.Sprintf("unix:///tmp/eso-%s.sock", providerName)
+
+	// Set up a connection to the server.
+	conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return nil, fmt.Errorf("unable to connect: %w", err)
+	}
+	grpcClient := pb.NewSecretsClientClient(conn)
+
+	return &Client{
+		store:      store,
+		namespace:  namespace,
+		conn:       conn,
+		grpcClient: grpcClient,
+	}, nil
+}
+
+// ValidateStore checks if the provided store is valid
+func (p *Provider) ValidateStore(store esapi.GenericStore) error {
+	return nil
+}
+
+// Capabilities returns the provider Capabilities (Read, Write, ReadWrite)
+func (p *Provider) Capabilities() esapi.SecretStoreCapabilities {
+	return esapi.SecretStoreReadWrite
+}

pkg/remote/shell/shell.go

@@ -0,0 +1,160 @@
+/*
+Copyright © 2022 ESO Maintainer Team
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package shell
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	pb "github.com/external-secrets/external-secrets/pkg/plugin/grpc"
+	"github.com/go-logr/logr"
+	"google.golang.org/grpc"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+type Server struct {
+	pb.UnimplementedSecretsClientServer
+	provider   esapi.Provider
+	scheme     *runtime.Scheme
+	kubeClient client.Client
+	log        logr.Logger
+}
+
+func init() {
+	ctrllog.SetLogger(zap.New())
+}
+
+func RunServer(provider esapi.Provider) error {
+	log := ctrl.Log.WithName("provider")
+	providerName, ok := esapi.GetProviderNameByType(provider)
+	if !ok {
+		return errors.New("could not get provider name by type")
+	}
+
+	scheme := runtime.NewScheme()
+	esapi.AddToScheme(scheme)
+	clientgoscheme.AddToScheme(scheme)
+	restCfg, err := ctrlcfg.GetConfig()
+	if err != nil {
+		return err
+	}
+	kubeClient, err := client.New(restCfg, client.Options{
+		Scheme: scheme,
+	})
+	if err != nil {
+		return err
+	}
+
+	pluginServer := &Server{
+		provider:   provider,
+		scheme:     scheme,
+		kubeClient: kubeClient,
+		log:        log,
+	}
+	sockAddr := fmt.Sprintf("/tmp/eso-%s.sock", providerName)
+	lis, err := net.Listen("unix", sockAddr)
+	if err != nil {
+		return fmt.Errorf("failed to listen: %v", err)
+	}
+	defer lis.Close()
+	defer os.Remove(sockAddr)
+	s := grpc.NewServer()
+
+	go func() {
+		c := make(chan os.Signal, 1) // we need to reserve to buffer size 1, so the notifier are not blocked
+		signal.Notify(c, os.Interrupt, syscall.SIGTERM)
+
+		<-c
+		log.Info("stopping grpc server")
+		s.GracefulStop()
+	}()
+
+	pb.RegisterSecretsClientServer(s, pluginServer)
+	log.Info("server listening ", "addr", lis.Addr())
+	if err := s.Serve(lis); err != nil {
+		log.Error(err, "failed to serve")
+		return err
+	}
+	return nil
+}
+
+func (s *Server) GetSecret(ctx context.Context, req *pb.GetSecretRequest) (*pb.GetSecretReply, error) {
+	store, err := s.decodeStore(req.Store)
+	if err != nil {
+		return nil, err
+	}
+	s.log.Info("GetSecret()", "namespace", req.Namespace, "name", store.GetObjectMeta().Name)
+
+	secretsClient, err := s.provider.NewClient(ctx, store, s.kubeClient, req.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	secret, err := secretsClient.GetSecret(ctx, remoteRef(req.RemoteRef))
+	if err != nil {
+		// TODO: handle NoSecret error on the client side
+		return &pb.GetSecretReply{
+			Error: err.Error(),
+		}, nil
+	}
+	return &pb.GetSecretReply{
+		Secret: secret,
+	}, nil
+}
+func remoteRef(ref *pb.RemoteRef) esapi.ExternalSecretDataRemoteRef {
+	return esapi.ExternalSecretDataRemoteRef{
+		Key:                ref.Key,
+		MetadataPolicy:     esapi.ExternalSecretMetadataPolicy(ref.MetadataPolicy),
+		Property:           ref.Property,
+		Version:            ref.Version,
+		ConversionStrategy: esapi.ExternalSecretConversionStrategy(ref.ConversionStrategy),
+		DecodingStrategy:   esapi.ExternalSecretDecodingStrategy(ref.DecodingStrategy),
+	}
+}
+
+func (s *Server) decodeStore(data []byte) (esapi.GenericStore, error) {
+	obj, gvk, err := serializer.NewCodecFactory(s.scheme).UniversalDeserializer().Decode(data, nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("unable to decode store data: %w", err)
+	}
+	switch gvk.Kind {
+	case esapi.SecretStoreKind:
+		ss, ok := obj.(*esapi.SecretStore)
+		if !ok {
+			return nil, fmt.Errorf("unable to convert SecretStore object")
+		}
+		return ss, nil
+	case esapi.ClusterSecretStoreKind:
+		css, ok := obj.(*esapi.ClusterSecretStore)
+		if !ok {
+			return nil, fmt.Errorf("unable to convert SecretStore object")
+		}
+		return css, nil
+	}
+	return nil, errors.New("unexpected store data")
+}