Created new struct for dataFrom

apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -118,13 +118,36 @@ type ExternalSecretData struct {
 
 // ExternalSecretDataRemoteRef defines Provider data location.
 type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+}
+
+// ExternalSecretDataFromRemoteRef defines Provider data location.
+type ExternalSecretDataFromRemoteRef struct {
 	// Used to select a specific version and property from the secret
 	// +optional
 	Extract ExternalSecretExtract `json:"extract,omitempty"`
 	// Used to find secrets based on tags or regular expressions
+	// +optional
 	Find ExternalSecretFind `json:"find,omitempty"`
 }
 
+func (ref ExternalSecretDataFromRemoteRef) GetDataRemoteRef() ExternalSecretDataRemoteRef {
+	return ExternalSecretDataRemoteRef{
+		Key:      ref.Extract.Key,
+		Property: ref.Extract.Property,
+		Version:  ref.Extract.Version,
+	}
+}
+
 type ExternalSecretExtract struct {
 	// Key is the key used in the Provider
 	// +optional
@@ -174,7 +197,7 @@ type ExternalSecretSpec struct {
 	// DataFrom is used to fetch all properties from a specific Provider data
 	// If multiple entries are specified, the Secret keys are merged in the specified order
 	// +optional
-	DataFrom []ExternalSecretDataRemoteRef `json:"dataFrom,omitempty"`
+	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
 }
 
 type ExternalSecretConditionType string

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -389,7 +389,7 @@ func (in *ExternalSecret) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
 	*out = *in
-	in.RemoteRef.DeepCopyInto(&out.RemoteRef)
+	out.RemoteRef = in.RemoteRef
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
@@ -403,12 +403,27 @@ func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
 	*out = *in
 	out.Extract = in.Extract
 	in.Find.DeepCopyInto(&out.Find)
 }
 
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataFromRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+	*out = *in
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
 func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
 	if in == nil {
@@ -502,13 +517,11 @@ func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make([]ExternalSecretData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+		copy(*out, *in)
 	}
 	if in.DataFrom != nil {
 		in, out := &in.DataFrom, &out.DataFrom
-		*out = make([]ExternalSecretDataRemoteRef, len(*in))
+		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}

deploy/crds/external-secrets.io_externalsecrets.yaml

@@ -59,41 +59,19 @@ spec:
                       description: ExternalSecretDataRemoteRef defines Provider data
                         location.
                       properties:
-                        extract:
-                          description: Used to select a specific version and property
-                            from the secret
-                          properties:
-                            key:
-                              description: Key is the key used in the Provider
-                              type: string
-                            property:
-                              description: Used to select a specific property of the
-                                Provider value (if a map), if supported
-                              type: string
-                            version:
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: string
-                          type: object
-                        find:
-                          description: Used to find secrets based on tags or regular
-                            expressions
-                          properties:
-                            name:
-                              description: Key is the key used in the Provider
-                              properties:
-                                regexp:
-                                  description: Used to select multiple secrets based
-                                    on a regular expression of the name
-                                  type: string
-                              type: object
-                            tags:
-                              additionalProperties:
-                                type: string
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: object
-                          type: object
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
                       type: object
                     secretKey:
                       type: string
@@ -107,7 +85,8 @@ spec:
                   Provider data If multiple entries are specified, the Secret keys
                   are merged in the specified order
                 items:
-                  description: ExternalSecretDataRemoteRef defines Provider data location.
+                  description: ExternalSecretDataFromRemoteRef defines Provider data
+                    location.
                   properties:
                     extract:
                       description: Used to select a specific version and property

docs/api-externalsecret.md

@@ -4,6 +4,8 @@ be transformed and saved as a `Kind=Secret`:
 * tells the operator what secrets should be synced by using `spec.data` to
   explicitly sync individual keys or use `spec.dataFrom` to get **all values**
   from the external API.
+* you can also use `spec.dataFrom` to sync many secrets at once, based on a
+  regular expression of their name or on tags/attributes
 * you can specify how the secret should look like by specifying a
   `spec.target.template`
 

docs/snippets/akeyless-external-secret-json.yaml

@@ -15,4 +15,5 @@ spec:
 
   # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
   dataFrom:
-  - key: secret-name # Full path of the secret on Akeyless
+  - extract:
+      key: secret-name # Full path of the secret on Akeyless

docs/snippets/azkv-external-secret.yaml

@@ -38,4 +38,6 @@ spec:
   # dataFrom , return ALL secrets saved in the referenced secretStore
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   dataFrom:
-  - name: "*"
+  - find:
+      name:
+        regexp: "regexp-name"

docs/snippets/basic-external-secret.yaml

@@ -17,4 +17,7 @@ spec:
       version: provider-key-version
       property: provider-key-property
   dataFrom:
-  - key: remote-key-in-the-provider
+  - extract:
+      key: provider-key
+      version: provider-key-version
+      property: provider-key-property

docs/snippets/full-external-secret.yaml

@@ -70,12 +70,25 @@ spec:
         version: provider-key-version
         property: provider-key-property
 
-  # Used to fetch all properties from the Provider key
+  # Used to fetch the desired property from the Provider key
   # If multiple dataFrom are specified, secrets are merged in the specified order
   dataFrom:
-  - key: provider-key
-    version: provider-key-version
-    property: provider-key-property
+  - extract:
+      key: provider-key
+      version: provider-key-version
+      property: provider-key-property
+
+  # Used to fetch many secrets based on a regular expression of their name
+  dataFrom:
+  - find:
+      name:
+        regexp: "regexp-name"
+
+  # Used to fetch many secrets based on the tags (or attributes) in the Provider
+  dataFrom:
+  - find:
+      tags:
+        tag-key: tag-value
 
 status:
   # refreshTime is the time and date the external secret was fetched and

docs/snippets/gcpsm-data-from-external-secret.yaml

@@ -11,4 +11,5 @@ spec:
     name: secret-to-be-created  # name of the k8s Secret to be created
     creationPolicy: Owner
   dataFrom:
-  - key: all-keys-example-secret  # name of the GCPSM secret
+  - extract:
+      key: all-keys-example-secret # name of the GCPSM secret

docs/snippets/gitlab-external-secret-json.yaml

@@ -15,4 +15,5 @@ spec:
 
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   dataFrom:
-  - key: "myJsonVariable" # Key of the variable on Gitlab
+  - extract:
+      key: all-keys-example-secret # Key of the variable on Gitlab

docs/snippets/oracle-external-secret.yaml

@@ -11,4 +11,5 @@ spec:
     name: secret-to-be-created # Name for the secret on the cluster
     creationPolicy: Owner
   dataFrom:
-    - key: the-secret-name
+  - extract:
+      key: the-secret-name

e2e/suite/common/common.go

@@ -52,17 +52,13 @@ func SimpleDataSync(f *framework.Framework) (string, func(*framework.TestCase))
 			{
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey1,
-					},
+					Key: secretKey1,
 				},
 			},
 			{
 				SecretKey: secretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey2,
-					},
+					Key: secretKey2,
 				},
 			},
 		}
@@ -89,9 +85,7 @@ func SyncWithoutTargetName(f *framework.Framework) (string, func(*framework.Test
 			{
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey1,
-					},
+					Key: secretKey1,
 				},
 			},
 		}
@@ -121,19 +115,15 @@ func JSONDataWithProperty(f *framework.Framework) (string, func(*framework.TestC
 			{
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "foo1",
-					},
+					Key:      secretKey1,
+					Property: "foo1",
 				},
 			},
 			{
 				SecretKey: secretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey2,
-						Property: "bar2",
-					},
+					Key:      secretKey2,
+					Property: "bar2",
 				},
 			},
 		}
@@ -160,10 +150,8 @@ func JSONDataWithoutTargetName(f *framework.Framework) (string, func(*framework.
 			{
 				SecretKey: secretKey,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey,
-						Property: "foo",
-					},
+					Key:      secretKey,
+					Property: "foo",
 				},
 			},
 		}
@@ -213,19 +201,15 @@ func JSONDataWithTemplate(f *framework.Framework) (string, func(*framework.TestC
 			{
 				SecretKey: "one",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "foo1",
-					},
+					Key:      secretKey1,
+					Property: "foo1",
 				},
 			},
 			{
 				SecretKey: "two",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey2,
-						Property: "bar2",
-					},
+					Key:      secretKey2,
+					Property: "bar2",
 				},
 			},
 		}
@@ -251,7 +235,7 @@ func JSONDataFromSync(f *framework.Framework) (string, func(*framework.TestCase)
 				targetSecretKey2: []byte(targetSecretValue2),
 			},
 		}
-		tc.ExternalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.ExternalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: secretKey1,
@@ -295,19 +279,15 @@ func NestedJSONWithGJSON(f *framework.Framework) (string, func(*framework.TestCa
 			{
 				SecretKey: targetSecretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "name.first",
-					},
+					Key:      secretKey1,
+					Property: "name.first",
 				},
 			},
 			{
 				SecretKey: targetSecretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "friends.1.first",
-					},
+					Key:      secretKey1,
+					Property: "friends.1.first",
 				},
 			},
 		}
@@ -337,10 +317,8 @@ func DockerJSONConfig(f *framework.Framework) (string, func(*framework.TestCase)
 			{
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "dockerconfig",
-					},
+					Key:      cloudSecretName,
+					Property: "dockerconfig",
 				},
 			},
 		}
@@ -377,10 +355,8 @@ func DataPropertyDockerconfigJSON(f *framework.Framework) (string, func(*framewo
 			{
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "dockerconfig",
-					},
+					Key:      cloudSecretName,
+					Property: "dockerconfig",
 				},
 			},
 		}
@@ -453,9 +429,7 @@ func SSHKeySync(f *framework.Framework) (string, func(*framework.TestCase)) {
 			{
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: sshSecretName,
-					},
+					Key: sshSecretName,
 				},
 			},
 		}
@@ -527,10 +501,8 @@ func SSHKeySyncDataProperty(f *framework.Framework) (string, func(*framework.Tes
 			{
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "ssh-auth",
-					},
+					Key:      cloudSecretName,
+					Property: "ssh-auth",
 				},
 			},
 		}

e2e/suite/gcp/gcp.go

@@ -138,9 +138,7 @@ x6HaRh+EUwU51von6M9lEF9/p5Q=
 		{
 			SecretKey: "mysecret",
 			RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-				Extract: esv1alpha1.ExternalSecretExtract{
-					Key: cloudSecretName,
-				},
+				Key: cloudSecretName,
 			},
 		},
 	}

hack/api-docs/mkdocs.yml

@@ -32,6 +32,7 @@ nav:
     - Getting started: guides-getting-started.md
     - Advanced Templating: guides-templating.md
     - All keys, One secret: guides-all-keys-one-secret.md
+    - Multiple secrets: guides-multiple-secrets.md
     - Common K8S Secret Types: guides-common-k8s-secret-types.md
     - Multi Tenancy: guides-multi-tenancy.md
     - Metrics: guides-metrics.md

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -419,7 +419,7 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient p
 	for _, secretRef := range externalSecret.Spec.Data {
 		secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef)
 		if err != nil {
-			return nil, fmt.Errorf(errGetSecretKey, secretRef.RemoteRef.Extract.Key, externalSecret.Name, err)
+			return nil, fmt.Errorf(errGetSecretKey, secretRef.RemoteRef.Key, externalSecret.Name, err)
 		}
 
 		providerData[secretRef.SecretKey] = secretData

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -217,10 +217,8 @@ var _ = Describe("ExternalSecret controller", func() {
 						{
 							SecretKey: targetProp,
 							RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-								Extract: esv1alpha1.ExternalSecretExtract{
-									Key:      remoteKey,
-									Property: remoteProperty,
-								},
+								Key:      remoteKey,
+								Property: remoteProperty,
 							},
 						},
 					},
@@ -522,7 +520,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplStaticKey: tplStaticVal,
 			},
 		}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: "datamap",
@@ -690,7 +688,7 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	syncWithDataFrom := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: remoteKey,
@@ -719,7 +717,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}
 
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: remoteKey,

pkg/provider/akeyless/akeyless.go

@@ -115,13 +115,13 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 		return nil, err
 	}
 	version := int32(0)
-	if ref.Extract.Version != "" {
-		i, err := strconv.ParseInt(ref.Extract.Version, 10, 32)
+	if ref.Version != "" {
+		i, err := strconv.ParseInt(ref.Version, 10, 32)
 		if err == nil {
 			version = int32(i)
 		}
 	}
-	value, err := a.Client.GetSecretByType(ref.Extract.Key, token, version)
+	value, err := a.Client.GetSecretByType(ref.Key, token, version)
 	if err != nil {
 		return nil, err
 	}
@@ -130,19 +130,19 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}
 
-	val, err := a.GetSecret(ctx, ref)
+	val, err := a.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}

pkg/provider/akeyless/akeyless_test.go

@@ -29,6 +29,7 @@ type akeylessTestCase struct {
 	apiInput       *fakeakeyless.Input
 	apiOutput      *fakeakeyless.Output
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	expectError    string
 	expectedSecret string
 	// for testing secretmap
@@ -40,6 +41,7 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
 		mockClient:     &fakeakeyless.AkeylessMockClient{},
 		apiInput:       makeValidInput(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidOutput(),
 		expectError:    "",
 		expectedSecret: "",
@@ -51,6 +53,13 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "1",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Version: "1",
@@ -149,7 +158,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := Akeyless{}
 	for k, v := range successCases {
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/alibaba/kms.go

@@ -116,40 +116,40 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
 	}
 	kmsRequest := kmssdk.CreateGetSecretValueRequest()
-	kmsRequest.VersionId = ref.Extract.Version
-	kmsRequest.SecretName = ref.Extract.Key
+	kmsRequest.VersionId = ref.Version
+	kmsRequest.SecretName = ref.Key
 	kmsRequest.SetScheme("https")
 	secretOut, err := kms.Client.GetSecretValue(kmsRequest)
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if secretOut.SecretData != "" {
 			return []byte(secretOut.SecretData), nil
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	var payload string
 	if secretOut.SecretData != "" {
 		payload = secretOut.SecretData
 	}
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	return []byte(val.String()), nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	data, err := kms.GetSecret(ctx, ref)
+func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	data, err := kms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}

pkg/provider/alibaba/kms_test.go

@@ -38,6 +38,7 @@ type keyManagementServiceTestCase struct {
 	apiInput       *kmssdk.GetSecretValueRequest
 	apiOutput      *kmssdk.GetSecretValueResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -50,6 +51,7 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
 		mockClient:     &fakesm.AlibabaMockClient{},
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		expectError:    "",
@@ -62,6 +64,12 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key: secretName,
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key: secretName,
 		},
@@ -129,7 +137,7 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 	// good case: custom version set
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
 		kmstc.apiOutput.SecretName = "test-example-other"
-		kmstc.ref.Extract.Key = "test-example-other"
+		kmstc.ref.Key = "test-example-other"
 		kmstc.apiOutput.SecretData = secretValue
 		kmstc.expectedSecret = secretValue
 	}
@@ -178,7 +186,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := KeyManagementService{}
 	for k, v := range successCases {
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/aws/parameterstore/parameterstore.go

@@ -50,38 +50,38 @@ func New(sess client.ConfigProvider) (*ParameterStore, error) {
 
 // GetSecret returns a single secret from the provider.
 func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	log.Info("fetching secret value", "key", ref.Extract.Key)
+	log.Info("fetching secret value", "key", ref.Key)
 	out, err := pm.client.GetParameter(&ssm.GetParameterInput{
-		Name:           &ref.Extract.Key,
+		Name:           &ref.Key,
 		WithDecryption: aws.Bool(true),
 	})
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if out.Parameter.Value != nil {
 			return []byte(*out.Parameter.Value), nil
 		}
-		return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Key)
 	}
-	val := gjson.Get(*out.Parameter.Value, ref.Extract.Property)
+	val := gjson.Get(*out.Parameter.Value, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	return []byte(val.String()), nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
-	data, err := pm.GetSecret(ctx, ref)
+	data, err := pm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -32,6 +32,7 @@ type parameterstoreTestCase struct {
 	apiInput       *ssm.GetParameterInput
 	apiOutput      *ssm.GetParameterOutput
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -44,6 +45,7 @@ func makeValidParameterStoreTestCase() *parameterstoreTestCase {
 		apiInput:       makeValidAPIInput(),
 		apiOutput:      makeValidAPIOutput(),
 		remoteRef:      makeValidRemoteRef(),
+		remoteRefFrom:  makeValidRemoteRefFrom(),
 		apiErr:         nil,
 		expectError:    "",
 		expectedSecret: "",
@@ -68,6 +70,12 @@ func makeValidAPIOutput() *ssm.GetParameterOutput {
 
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key: "/baz",
+	}
+}
+
+func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key: "/baz",
 		},
@@ -96,20 +104,20 @@ func TestGetSecret(t *testing.T) {
 	setExtractProperty := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
 		pstc.expectedSecret = "bang"
-		pstc.remoteRef.Extract.Property = "/shmoo"
+		pstc.remoteRef.Property = "/shmoo"
 	}
 
 	// bad case: missing property
 	setMissingProperty := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
-		pstc.remoteRef.Extract.Property = "INVALPROP"
+		pstc.remoteRef.Property = "INVALPROP"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 	}
 
 	// bad case: extract property failure due to invalid json
 	setPropertyFail := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`------`)
-		pstc.remoteRef.Extract.Property = "INVALPROP"
+		pstc.remoteRef.Property = "INVALPROP"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 	}
 
@@ -176,7 +184,7 @@ func TestGetSecretMap(t *testing.T) {
 	ps := ParameterStore{}
 	for k, v := range successCases {
 		ps.client = v.fakeClient
-		out, err := ps.GetSecretMap(context.Background(), *v.remoteRef)
+		out, err := ps.GetSecretMap(context.Background(), *v.remoteRefFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -52,18 +52,18 @@ func New(sess client.ConfigProvider) (*SecretsManager, error) {
 
 func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
 	ver := "AWSCURRENT"
-	if ref.Extract.Version != "" {
-		ver = ref.Extract.Version
+	if ref.Version != "" {
+		ver = ref.Version
 	}
-	log.Info("fetching secret value", "key", ref.Extract.Key, "version", ver)
+	log.Info("fetching secret value", "key", ref.Key, "version", ver)
 
-	cacheKey := fmt.Sprintf("%s#%s", ref.Extract.Key, ver)
+	cacheKey := fmt.Sprintf("%s#%s", ref.Key, ver)
 	if secretOut, found := sm.cache[cacheKey]; found {
-		log.Info("found secret in cache", "key", ref.Extract.Key, "version", ver)
+		log.Info("found secret in cache", "key", ref.Key, "version", ver)
 		return secretOut, nil
 	}
 	secretOut, err := sm.client.GetSecretValue(&awssm.GetSecretValueInput{
-		SecretId:     &ref.Extract.Key,
+		SecretId:     &ref.Key,
 		VersionStage: &ver,
 	})
 	if err != nil {
@@ -80,14 +80,14 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if secretOut.SecretString != nil {
 			return []byte(*secretOut.SecretString), nil
 		}
 		if secretOut.SecretBinary != nil {
 			return secretOut.SecretBinary, nil
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	var payload string
 	if secretOut.SecretString != nil {
@@ -97,17 +97,17 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 		payload = string(secretOut.SecretBinary)
 	}
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	return []byte(val.String()), nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
-	data, err := sm.GetSecret(ctx, ref)
+	data, err := sm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}
@@ -131,7 +131,7 @@ func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.Exter
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -33,6 +33,7 @@ type secretsManagerTestCase struct {
 	apiInput       *awssm.GetSecretValueInput
 	apiOutput      *awssm.GetSecretValueOutput
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -49,6 +50,7 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 		fakeClient:     fakesm.NewClient(),
 		apiInput:       makeValidAPIInput(),
 		remoteRef:      makeValidRemoteRef(),
+		remoteRefFrom:  makeValidRemoteRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		expectError:    "",
@@ -61,6 +63,13 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "/baz",
+		Version: "AWSCURRENT",
+	}
+}
+
+func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "/baz",
 			Version: "AWSCURRENT",
@@ -110,20 +119,20 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 	// good case: extract property
 	// Testing that the property exists in the SecretString
 	setRemoteRefPropertyExistsInKey := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "/shmoo"
+		smtc.remoteRef.Property = "/shmoo"
 		smtc.apiOutput.SecretString = aws.String(`{"/shmoo": "bang"}`)
 		smtc.expectedSecret = "bang"
 	}
 
 	// bad case: missing property
 	setRemoteRefMissingProperty := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "INVALPROP"
+		smtc.remoteRef.Property = "INVALPROP"
 		smtc.expectError = "key INVALPROP does not exist in secret"
 	}
 
 	// bad case: extract property failure due to invalid json
 	setRemoteRefMissingPropertyInvalidJSON := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "INVALPROP"
+		smtc.remoteRef.Property = "INVALPROP"
 		smtc.apiOutput.SecretString = aws.String(`------`)
 		smtc.expectError = "key INVALPROP does not exist in secret"
 	}
@@ -146,14 +155,14 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 	setNestedSecretValueJSONParsing := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = nil
 		smtc.apiOutput.SecretBinary = []byte(`{"foobar":{"baz":"nestedval"}}`)
-		smtc.remoteRef.Extract.Property = "foobar.baz"
+		smtc.remoteRef.Property = "foobar.baz"
 		smtc.expectedSecret = "nestedval"
 	}
 
 	// good case: custom version set
 	setCustomVersion := func(smtc *secretsManagerTestCase) {
 		smtc.apiInput.VersionStage = aws.String("1234")
-		smtc.remoteRef.Extract.Version = "1234"
+		smtc.remoteRef.Version = "1234"
 		smtc.apiOutput.SecretString = aws.String("FOOBA!")
 		smtc.expectedSecret = "FOOBA!"
 	}
@@ -192,26 +201,26 @@ func TestCaching(t *testing.T) {
 	// over 1
 	firstCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
-		smtc.remoteRef.Extract.Property = "foo"
+		smtc.remoteRef.Property = "foo"
 		smtc.expectedSecret = "bar"
 		smtc.expectedCounter = aws.Int(1)
 		smtc.fakeClient = fakeClient
 	}
 	secondCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
-		smtc.remoteRef.Extract.Property = "bar"
+		smtc.remoteRef.Property = "bar"
 		smtc.expectedSecret = "vodka"
 		smtc.expectedCounter = aws.Int(1)
 		smtc.fakeClient = fakeClient
 	}
 	notCachedCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"sheldon":"bazinga", "bar":"foo"}`)
-		smtc.remoteRef.Extract.Property = "sheldon"
+		smtc.remoteRef.Property = "sheldon"
 		smtc.expectedSecret = "bazinga"
 		smtc.expectedCounter = aws.Int(2)
 		smtc.fakeClient = fakeClient
 		smtc.apiInput.SecretId = aws.String("xyz")
-		smtc.remoteRef.Extract.Key = "xyz" // it should reset the cache since the key is different
+		smtc.remoteRef.Key = "xyz" // it should reset the cache since the key is different
 	}
 
 	cachedCases := []*secretsManagerTestCase{
@@ -278,7 +287,7 @@ func TestGetSecretMap(t *testing.T) {
 			cache:  make(map[string]*awssm.GetSecretValueOutput),
 			client: v.fakeClient,
 		}
-		out, err := sm.GetSecretMap(context.Background(), *v.remoteRef)
+		out, err := sm.GetSecretMap(context.Background(), *v.remoteRefFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedErrorString, k, err.Error(), v.expectError)
 		}

pkg/provider/azure/keyvault/keyvault.go

@@ -99,8 +99,8 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 		return nil, fmt.Errorf("%s name cannot be empty", objectType)
 	}
 
-	if ref.Extract.Version != "" {
-		version = ref.Extract.Version
+	if ref.Version != "" {
+		version = ref.Version
 	}
 
 	switch objectType {
@@ -111,12 +111,12 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 		if err != nil {
 			return nil, err
 		}
-		if ref.Extract.Property == "" {
+		if ref.Property == "" {
 			return []byte(*secretResp.Value), nil
 		}
-		res := gjson.Get(*secretResp.Value, ref.Extract.Property)
+		res := gjson.Get(*secretResp.Value, ref.Property)
 		if !res.Exists() {
-			return nil, fmt.Errorf("property %s does not exist in key %s", ref.Extract.Property, ref.Extract.Key)
+			return nil, fmt.Errorf("property %s does not exist in key %s", ref.Property, ref.Key)
 		}
 		return []byte(res.String()), err
 	case "cert":
@@ -143,12 +143,13 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	objectType, secretName := getObjType(ref)
+func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	dataRef := ref.GetDataRemoteRef()
+	objectType, secretName := getObjType(dataRef)
 
 	switch objectType {
 	case defaultObjType:
-		data, err := a.GetSecret(ctx, ref)
+		data, err := a.GetSecret(ctx, dataRef)
 		if err != nil {
 			return nil, err
 		}
@@ -176,7 +177,7 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	basicClient := a.baseClient
 	secretsMap := make(map[string][]byte)
 	checkTags := len(ref.Find.Tags) > 0
@@ -218,12 +219,12 @@ func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecret
 	return secretsMap, nil
 }
 
-func okByName(ref esv1alpha1.ExternalSecretDataRemoteRef, secretName string) bool {
+func okByName(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secretName string) bool {
 	matches, _ := regexp.MatchString(ref.Find.Name.RegExp, secretName)
 	return matches
 }
 
-func okByTags(ref esv1alpha1.ExternalSecretDataRemoteRef, secret keyvault.SecretItem) bool {
+func okByTags(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) bool {
 	tagsFound := true
 	for k, v := range ref.Find.Tags {
 		if val, ok := secret.Tags[k]; !ok || *val != v {
@@ -333,7 +334,7 @@ func (a *Azure) Close(ctx context.Context) error {
 func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
 	objectType := defaultObjType
 
-	secretName := ref.Extract.Key
+	secretName := ref.Key
 	nameSplitted := strings.Split(secretName, "/")
 
 	if len(nameSplitted) > 1 {

pkg/provider/azure/keyvault/keyvault_test.go

@@ -39,6 +39,7 @@ type secretManagerTestCase struct {
 	secretVersion  string
 	serviceURL     string
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	secretOutput   keyvault.SecretBundle
 	keyOutput      keyvault.KeyBundle
@@ -57,6 +58,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		secretName:     "MySecret",
 		secretVersion:  "",
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		secretOutput:   keyvault.SecretBundle{Value: &secretString},
 		serviceURL:     "",
 		apiErr:         nil,
@@ -188,7 +190,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	}
 
 	badNoNameSecret := func(smtc *secretManagerTestCase) {
-		smtc.ref.Extract.Key = ""
+		smtc.ref.Key = ""
 		smtc.expectedSecret = ""
 		smtc.secretName = "secret/"
 		smtc.expectError = fmt.Sprintf("%s name cannot be empty", "secret")
@@ -199,8 +201,8 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 		}
-		smtc.ref.Extract.Version = "v1"
-		smtc.secretVersion = smtc.ref.Extract.Version
+		smtc.ref.Version = "v1"
+		smtc.secretVersion = smtc.ref.Version
 	}
 
 	setSecretWithProperty := func(smtc *secretManagerTestCase) {
@@ -209,7 +211,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 		}
-		smtc.ref.Extract.Property = "Name"
+		smtc.ref.Property = "Name"
 	}
 
 	badSecretWithProperty := func(smtc *secretManagerTestCase) {
@@ -218,8 +220,8 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 		}
-		smtc.ref.Extract.Property = "Age"
-		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Extract.Property, smtc.ref.Extract.Key)
+		smtc.ref.Property = "Age"
+		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 	}
 
@@ -230,7 +232,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubRSA)),
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 
 	// // good case: key set
@@ -240,7 +242,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubEC)),
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 
 	// // good case: key set
@@ -251,14 +253,14 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.certOutput = keyvault.CertificateBundle{
 			Cer: &byteArrString,
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 
 	badSecretType := func(smtc *secretManagerTestCase) {
 		smtc.secretName = "name"
 		smtc.expectedSecret = ""
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
-		smtc.ref.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
+		smtc.ref.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
 	}
 
 	successCases := []*secretManagerTestCase{
@@ -313,7 +315,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 		}
-		smtc.ref.Extract.Property = "Address"
+		smtc.refFrom.Extract.Property = "Address"
 
 		smtc.expectedData["Street"] = []byte("Myroad st.")
 		smtc.expectedData["CP"] = []byte("J4K4T4")
@@ -325,8 +327,8 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 		}
-		smtc.ref.Extract.Property = "Age"
-		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Extract.Property, smtc.ref.Extract.Key)
+		smtc.refFrom.Extract.Property = "Age"
+		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 	}
 
@@ -336,7 +338,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubRSA)),
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.refFrom.Extract.Key = smtc.secretName
 		smtc.expectError = "cannot get use dataFrom to get key secret"
 	}
 
@@ -347,7 +349,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.certOutput = keyvault.CertificateBundle{
 			Cer: &byteArrString,
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.refFrom.Extract.Key = smtc.secretName
 		smtc.expectError = "cannot get use dataFrom to get certificate secret"
 	}
 
@@ -355,7 +357,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretName = "name"
 		smtc.expectedSecret = ""
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
-		smtc.ref.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
+		smtc.refFrom.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
 	}
 
 	successCases := []*secretManagerTestCase{
@@ -371,7 +373,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	sm := Azure{}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !utils.ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
@@ -398,7 +400,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	}
 
 	setOneSecretByName := func(smtc *secretManagerTestCase) {
-		smtc.ref.Find.Name.RegExp = regexp
+		smtc.refFrom.Find.Name.RegExp = regexp
 		enabledAtt := keyvault.SecretAttributes{
 			Enabled: &enabled,
 		}
@@ -426,7 +428,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	}
 
 	setTwoSecretsByName := func(smtc *secretManagerTestCase) {
-		smtc.ref.Find.Name.RegExp = regexp
+		smtc.refFrom.Find.Name.RegExp = regexp
 		enabledAtt := keyvault.SecretAttributes{
 			Enabled: &enabled,
 		}
@@ -482,7 +484,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 		}
-		smtc.ref.Find.Tags = map[string]string{"environment": environment}
+		smtc.refFrom.Find.Tags = map[string]string{"environment": environment}
 
 		smtc.expectedData[secretName] = []byte(secretString)
 	}
@@ -512,7 +514,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 		}
-		smtc.ref.Find.Tags = map[string]string{"environment": environment, "author": author}
+		smtc.refFrom.Find.Tags = map[string]string{"environment": environment, "author": author}
 
 		smtc.expectedData[secretName] = []byte(secretString)
 	}
@@ -527,7 +529,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	sm := Azure{}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
-		out, err := sm.GetAllSecrets(context.Background(), *v.ref)
+		out, err := sm.GetAllSecrets(context.Background(), *v.refFrom)
 		if !utils.ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
@@ -539,6 +541,13 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Version: "default",

pkg/provider/fake/fake.go

@@ -31,7 +31,7 @@ type Client struct {
 	NewFn func(context.Context, esv1alpha1.GenericStore, client.Client,
 		string) (provider.SecretsClient, error)
 	GetSecretFn    func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
-	GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 }
 
 // New returns a fake provider/client.
@@ -40,7 +40,7 @@ func New() *Client {
 		GetSecretFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 			return nil, nil
 		},
-		GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+		GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 			return nil, nil
 		},
 	}
@@ -72,13 +72,13 @@ func (v *Client) WithGetSecret(secData []byte, err error) *Client {
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // GetSecretMap imeplements the provider.Provider interface.
-func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.GetSecretMapFn(ctx, ref)
 }
 func (v *Client) Close(ctx context.Context) error {
@@ -87,7 +87,7 @@ func (v *Client) Close(ctx context.Context) error {
 
 // WithGetSecretMap wraps the secret data map returned by this fake provider.
 func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client {
-	v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+	v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 		return secData, err
 	}
 	return v

pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -167,24 +167,24 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
 
-	version := ref.Extract.Version
+	version := ref.Version
 	if version == "" {
 		version = defaultVersion
 	}
 
 	req := &secretmanagerpb.AccessSecretVersionRequest{
-		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Extract.Key, version),
+		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Key, version),
 	}
 	result, err := sm.SecretManagerClient.AccessSecretVersion(ctx, req)
 	if err != nil {
 		return nil, fmt.Errorf(errClientGetSecretAccess, err)
 	}
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if result.Payload.Data != nil {
 			return result.Payload.Data, nil
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
 	}
 
 	var payload string
@@ -192,27 +192,27 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 		payload = string(result.Payload.Data)
 	}
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	return []byte(val.String()), nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if sm.SecretManagerClient == nil || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
 
-	data, err := sm.GetSecret(ctx, ref)
+	data, err := sm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}

pkg/provider/gcp/secretmanager/secretsmanager_test.go

@@ -31,6 +31,7 @@ type secretManagerTestCase struct {
 	apiInput       *secretmanagerpb.AccessSecretVersionRequest
 	apiOutput      *secretmanagerpb.AccessSecretVersionResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	projectID      string
 	apiErr         error
 	expectError    string
@@ -44,6 +45,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		mockClient:     &fakesm.MockSMClient{},
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		projectID:      "default",
 		apiErr:         nil,
@@ -58,6 +60,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "/baz",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "/baz",
 			Version: "default",
@@ -113,11 +122,9 @@ func TestSecretManagerGetSecret(t *testing.T) {
 	// good case: ref with
 	setCustomRef := func(smtc *secretManagerTestCase) {
 		smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
-			Extract: esv1alpha1.ExternalSecretExtract{
-				Key:      "/baz",
-				Version:  "default",
-				Property: "name.first",
-			},
+			Key:      "/baz",
+			Version:  "default",
+			Property: "name.first",
 		}
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/default"
 		smtc.apiOutput.Payload.Data = []byte(
@@ -134,7 +141,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
 
 	// good case: custom version set
 	setCustomVersion := func(smtc *secretManagerTestCase) {
-		smtc.ref.Extract.Version = "1234"
+		smtc.ref.Version = "1234"
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/1234"
 		smtc.apiOutput.Payload.Data = []byte("FOOBA!")
 		smtc.expectedSecret = "FOOBA!"
@@ -195,7 +202,7 @@ func TestGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 		sm.projectID = v.projectID
 		sm.SecretManagerClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/gitlab/gitlab.go

@@ -153,7 +153,7 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 		return nil, fmt.Errorf(errUninitalizedGitlabProvider)
 	}
 	// Need to replace hyphens with underscores to work with Gitlab API
-	ref.Extract.Key = strings.ReplaceAll(ref.Extract.Key, "-", "_")
+	ref.Key = strings.ReplaceAll(ref.Key, "-", "_")
 	// Retrieves a gitlab variable in the form
 	// {
 	// 	"key": "TEST_VARIABLE_1",
@@ -161,16 +161,16 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 	// 	"value": "TEST_1",
 	// 	"protected": false,
 	// 	"masked": true
-	data, _, err := g.client.GetVariable(g.projectID, ref.Extract.Key, nil) // Optional 'filter' parameter could be added later
+	data, _, err := g.client.GetVariable(g.projectID, ref.Key, nil) // Optional 'filter' parameter could be added later
 	if err != nil {
 		return nil, err
 	}
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if data.Value != "" {
 			return []byte(data.Value), nil
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
 	}
 
 	var payload string
@@ -178,23 +178,23 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 		payload = data.Value
 	}
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	return []byte(val.String()), nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
-func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// Gets a secret as normal, expecting secret value to be a json object
-	data, err := g.GetSecret(ctx, ref)
+	data, err := g.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, fmt.Errorf("error getting secret %s: %w", ref.Extract.Key, err)
 	}

pkg/provider/gitlab/gitlab_test.go

@@ -32,6 +32,7 @@ type secretManagerTestCase struct {
 	apiInputKey       string
 	apiOutput         *gitlab.ProjectVariable
 	ref               *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom           *esv1alpha1.ExternalSecretDataFromRemoteRef
 	projectID         *string
 	apiErr            error
 	expectError       string
@@ -46,6 +47,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		apiInputProjectID: makeValidAPIInputProjectID(),
 		apiInputKey:       makeValidAPIInputKey(),
 		ref:               makeValidRef(),
+		refFrom:           makeValidRefFrom(),
 		projectID:         nil,
 		apiOutput:         makeValidAPIOutput(),
 		apiErr:            nil,
@@ -59,6 +61,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Version: "default",
@@ -159,7 +168,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := Gitlab{}
 	for k, v := range successCases {
 		sm.client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/ibm/provider.go

@@ -95,7 +95,7 @@ func (c *client) setAuth(ctx context.Context) error {
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
@@ -106,7 +106,7 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 	}
 
 	secretType := sm.GetSecretOptionsSecretTypeArbitraryConst
-	secretName := ref.Extract.Key
+	secretName := ref.Key
 	nameSplitted := strings.Split(secretName, "/")
 
 	if len(nameSplitted) > 1 {
@@ -121,7 +121,7 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 
 	case sm.CreateSecretOptionsSecretTypeUsernamePasswordConst:
 
-		if ref.Extract.Property == "" {
+		if ref.Property == "" {
 			return nil, fmt.Errorf("remoteRef.property required for secret type username_password")
 		}
 		return getUsernamePasswordSecret(ibm, &secretName, ref)
@@ -132,8 +132,8 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 
 	case sm.CreateSecretOptionsSecretTypeImportedCertConst:
 
-		if ref.Extract.Property == "" {
-			return nil, fmt.Errorf("remoteRef.Extract.property required for secret type imported_cert")
+		if ref.Property == "" {
+			return nil, fmt.Errorf("remoteref.Property required for secret type imported_cert")
 		}
 
 		return getImportCertSecret(ibm, &secretName, ref)
@@ -171,10 +171,10 @@ func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.Ex
 	secret := response.Resources[0].(*sm.SecretResource)
 	secretData := secret.SecretData.(map[string]interface{})
 
-	if val, ok := secretData[ref.Extract.Property]; ok {
+	if val, ok := secretData[ref.Property]; ok {
 		return []byte(val.(string)), nil
 	}
-	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 
 func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, error) {
@@ -206,13 +206,13 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alp
 	secret := response.Resources[0].(*sm.SecretResource)
 	secretData := secret.SecretData.(map[string]interface{})
 
-	if val, ok := secretData[ref.Extract.Property]; ok {
+	if val, ok := secretData[ref.Property]; ok {
 		return []byte(val.(string)), nil
 	}
-	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 
-func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}

pkg/provider/ibm/provider_test.go

@@ -37,6 +37,7 @@ type secretManagerTestCase struct {
 	apiInput       *sm.GetSecretOptions
 	apiOutput      *sm.GetSecret
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	serviceURL     *string
 	apiErr         error
 	expectError    string
@@ -50,6 +51,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		mockClient:     &fakesm.IBMMockClient{},
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		serviceURL:     nil,
 		apiErr:         nil,
@@ -63,6 +65,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Version: "default",
@@ -148,7 +157,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 				Name:       utilpointer.StringPtr("testyname"),
 				SecretData: secretData,
 			}}
-		smtc.ref.Extract.Key = "testyname"
+		smtc.ref.Key = "testyname"
 		smtc.apiInput.ID = utilpointer.StringPtr("testyname")
 		smtc.apiOutput.Resources = resources
 		smtc.expectedSecret = secretString
@@ -166,7 +175,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretUserPass
+		smtc.ref.Key = secretUserPass
 		smtc.expectError = "remoteRef.property required for secret type username_password"
 	}
 
@@ -181,8 +190,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretUserPass
-		smtc.ref.Extract.Property = "password"
+		smtc.ref.Key = secretUserPass
+		smtc.ref.Property = "password"
 		smtc.expectedSecret = secretPassword
 	}
 
@@ -197,7 +206,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "iam_credentials/test-secret"
+		smtc.ref.Key = "iam_credentials/test-secret"
 		smtc.expectedSecret = secretAPIKey
 	}
 
@@ -213,8 +222,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretCert
-		smtc.ref.Extract.Property = "certificate"
+		smtc.ref.Key = secretCert
+		smtc.ref.Property = "certificate"
 		smtc.expectedSecret = secretCertificate
 	}
 
@@ -229,8 +238,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretCert
-		smtc.expectError = "remoteRef.Extract.property required for secret type imported_cert"
+		smtc.ref.Key = secretCert
+		smtc.expectError = "remoteref.Property required for secret type imported_cert"
 	}
 
 	successCases := []*secretManagerTestCase{
@@ -313,7 +322,7 @@ func TestGetSecretMap(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "username_password/test-secret"
+		smtc.refFrom.Extract.Key = "username_password/test-secret"
 		smtc.expectedData["username"] = []byte(secretUsername)
 		smtc.expectedData["password"] = []byte(secretPassword)
 	}
@@ -329,7 +338,7 @@ func TestGetSecretMap(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "iam_credentials/test-secret"
+		smtc.refFrom.Extract.Key = "iam_credentials/test-secret"
 		smtc.expectedData["apikey"] = []byte(secretAPIKey)
 	}
 
@@ -349,7 +358,7 @@ func TestGetSecretMap(t *testing.T) {
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "imported_cert/test-secret"
+		smtc.refFrom.Extract.Key = "imported_cert/test-secret"
 		smtc.expectedData["certificate"] = []byte(secretCertificate)
 		smtc.expectedData["private_key"] = []byte(secretPrivateKey)
 		smtc.expectedData["intermediate"] = []byte(secretIntermediate)
@@ -368,7 +377,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := providerIBM{}
 	for k, v := range successCases {
 		sm.IBMClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/oracle/oracle.go

@@ -132,8 +132,8 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 
 	sec, err := vms.Client.GetSecretBundleByName(ctx, secrets.GetSecretBundleByNameRequest{
 		VaultId:    &vms.vault,
-		SecretName: &ref.Extract.Key,
-		Stage:      secrets.GetSecretBundleByNameStageEnum(ref.Extract.Version),
+		SecretName: &ref.Key,
+		Stage:      secrets.GetSecretBundleByNameStageEnum(ref.Version),
 	})
 	if err != nil {
 		return nil, util.SanitizeErr(err)
@@ -149,14 +149,14 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 		return nil, err
 	}
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		return payload, nil
 	}
 
-	val := gjson.Get(string(payload), ref.Extract.Property)
+	val := gjson.Get(string(payload), ref.Property)
 
 	if !val.Exists() {
-		return nil, fmt.Errorf(errMissingKey, ref.Extract.Key)
+		return nil, fmt.Errorf(errMissingKey, ref.Key)
 	}
 
 	return []byte(val.String()), nil
@@ -164,13 +164,13 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
-func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	data, err := vms.GetSecret(ctx, ref)
+func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	data, err := vms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}

pkg/provider/oracle/oracle_test.go

@@ -31,6 +31,7 @@ type vaultTestCase struct {
 	apiInput       *secrets.GetSecretBundleByNameRequest
 	apiOutput      *secrets.GetSecretBundleByNameResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -43,6 +44,7 @@ func makeValidVaultTestCase() *vaultTestCase {
 		mockClient:     &fakeoracle.OracleMockClient{},
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		expectError:    "",
@@ -55,6 +57,13 @@ func makeValidVaultTestCase() *vaultTestCase {
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Version: "default",
@@ -160,7 +169,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := VaultManagementService{}
 	for k, v := range successCases {
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}

pkg/provider/provider.go

@@ -34,10 +34,10 @@ type SecretsClient interface {
 	GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
 
 	// GetSecretMap returns multiple k/v pairs from the provider
-	GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 	// GetSecretMap returns all k/v pairs from the provider
-	GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 	Close(ctx context.Context) error
 }

pkg/provider/schema/schema_test.go

@@ -39,13 +39,13 @@ func (p *PP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRem
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return map[string][]byte{}, nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }

pkg/provider/vault/vault.go

@@ -153,24 +153,24 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
 }
 
 func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	data, err := v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
+	data, err := v.readSecret(ctx, ref.Key, ref.Version)
 	if err != nil {
 		return nil, err
 	}
-	value, exists := data[ref.Extract.Property]
+	value, exists := data[ref.Property]
 	if !exists {
-		return nil, fmt.Errorf(errSecretKeyFmt, ref.Extract.Property)
+		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
 	}
 	return value, nil
 }
 
-func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }

pkg/provider/vault/vault_test.go

@@ -564,11 +564,11 @@ func TestGetSecretMap(t *testing.T) {
 	}
 
 	type args struct {
-		store   *esv1alpha1.VaultProvider
-		kube    kclient.Client
-		vClient Client
-		ns      string
-		data    esv1alpha1.ExternalSecretDataRemoteRef
+		store    *esv1alpha1.VaultProvider
+		kube     kclient.Client
+		vClient  Client
+		ns       string
+		dataFrom esv1alpha1.ExternalSecretDataFromRemoteRef
 	}
 
 	type want struct {
@@ -671,7 +671,7 @@ func TestGetSecretMap(t *testing.T) {
 				store:     tc.args.store,
 				namespace: tc.args.ns,
 			}
-			_, err := vStore.GetSecretMap(context.Background(), tc.args.data)
+			_, err := vStore.GetSecretMap(context.Background(), tc.args.dataFrom)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nvault.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
 			}

pkg/provider/webhook/webhook.go

@@ -129,12 +129,12 @@ func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDa
 	return result, nil
 }
 
-func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	provider, err := getProvider(w.store)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get store: %w", err)
 	}
-	result, err := w.getWebhookData(ctx, provider, ref)
+	result, err := w.getWebhookData(ctx, provider, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
 	}
@@ -181,9 +181,9 @@ func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecre
 func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{
 		"remoteRef": {
-			"key":      url.QueryEscape(ref.Extract.Key),
-			"version":  url.QueryEscape(ref.Extract.Version),
-			"property": url.QueryEscape(ref.Extract.Property),
+			"key":      url.QueryEscape(ref.Key),
+			"version":  url.QueryEscape(ref.Version),
+			"property": url.QueryEscape(ref.Property),
 		},
 	}
 	for _, secref := range secrets {
@@ -375,7 +375,7 @@ func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }

pkg/provider/webhook/webhook_test.go

@@ -269,7 +269,7 @@ func runTestCase(tc testCase, t *testing.T) {
 }
 
 func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient) {
-	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
+	testRef := esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     tc.Args.Key,
 			Version: tc.Args.Version,
@@ -297,10 +297,8 @@ func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient)
 
 func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
 	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
-			Key:     tc.Args.Key,
-			Version: tc.Args.Version,
-		},
+		Key:     tc.Args.Key,
+		Version: tc.Args.Version,
 	}
 	secret, err := client.GetSecret(context.Background(), testRef)
 	errStr := ""

pkg/provider/yandex/lockbox/lockbox.go

@@ -226,12 +226,12 @@ type lockboxSecretsClient struct {
 
 // GetSecret returns a single secret from the provider.
 func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
+	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Key, ref.Version)
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
 	}
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		keyToValue := make(map[string]interface{}, len(entries))
 		for _, entry := range entries {
 			value, err := getValueAsIs(entry)
@@ -247,7 +247,7 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
 		return out, nil
 	}
 
-	entry, err := findEntryByKey(entries, ref.Extract.Property)
+	entry, err := findEntryByKey(entries, ref.Property)
 	if err != nil {
 		return nil, err
 	}
@@ -256,13 +256,13 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return map[string][]byte{}, nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)

pkg/provider/yandex/lockbox/lockbox_test.go

@@ -562,7 +562,7 @@ func TestGetSecretMap(t *testing.T) {
 	})
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	tassert.Nil(t, err)
-	data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", ""))
+	data, err := secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", ""))
 	tassert.Nil(t, err)
 
 	tassert.Equal(
@@ -598,7 +598,7 @@ func TestGetSecretMapByVersionID(t *testing.T) {
 	})
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	tassert.Nil(t, err)
-	data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID))
+	data, err := secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", oldVersionID))
 	tassert.Nil(t, err)
 
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
@@ -608,11 +608,11 @@ func TestGetSecretMapByVersionID(t *testing.T) {
 		textEntry(newKey, newVal),
 	)
 
-	data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID))
+	data, err = secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", oldVersionID))
 	tassert.Nil(t, err)
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
 
-	data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", newVersionID))
+	data, err = secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", newVersionID))
 	tassert.Nil(t, err)
 	tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data)
 }
@@ -642,6 +642,14 @@ func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName
 
 func getRemoteDef(key, property, version string) esv1alpha1.ExternalSecretDataRemoteRef {
 	return esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:      key,
+		Property: property,
+		Version:  version,
+	}
+}
+
+func getRemoteFromDef(key, property, version string) esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:      key,
 			Property: property,