Browse Source

Created new struct for dataFrom

Sebastian Gomez 4 years ago
parent
commit
48ac7b991f
43 changed files with 395 additions and 303 deletions
  1. 24 1
      apis/externalsecrets/v1alpha1/externalsecret_types.go
  2. 19 6
      apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go
  3. 15 36
      deploy/crds/external-secrets.io_externalsecrets.yaml
  4. 2 0
      docs/api-externalsecret.md
  5. 2 1
      docs/snippets/akeyless-external-secret-json.yaml
  6. 3 1
      docs/snippets/azkv-external-secret.yaml
  7. 4 1
      docs/snippets/basic-external-secret.yaml
  8. 17 4
      docs/snippets/full-external-secret.yaml
  9. 2 1
      docs/snippets/gcpsm-data-from-external-secret.yaml
  10. 2 1
      docs/snippets/gitlab-external-secret-json.yaml
  11. 2 1
      docs/snippets/oracle-external-secret.yaml
  12. 25 53
      e2e/suite/common/common.go
  13. 1 3
      e2e/suite/gcp/gcp.go
  14. 1 0
      hack/api-docs/mkdocs.yml
  15. 1 1
      pkg/controllers/externalsecret/externalsecret_controller.go
  16. 5 7
      pkg/controllers/externalsecret/externalsecret_controller_test.go
  17. 6 6
      pkg/provider/akeyless/akeyless.go
  18. 10 1
      pkg/provider/akeyless/akeyless_test.go
  19. 9 9
      pkg/provider/alibaba/kms.go
  20. 10 2
      pkg/provider/alibaba/kms_test.go
  21. 9 9
      pkg/provider/aws/parameterstore/parameterstore.go
  22. 12 4
      pkg/provider/aws/parameterstore/parameterstore_test.go
  23. 13 13
      pkg/provider/aws/secretsmanager/secretsmanager.go
  24. 19 10
      pkg/provider/aws/secretsmanager/secretsmanager_test.go
  25. 13 12
      pkg/provider/azure/keyvault/keyvault.go
  26. 31 22
      pkg/provider/azure/keyvault/keyvault_test.go
  27. 5 5
      pkg/provider/fake/fake.go
  28. 9 9
      pkg/provider/gcp/secretmanager/secretsmanager.go
  29. 14 7
      pkg/provider/gcp/secretmanager/secretsmanager_test.go
  30. 9 9
      pkg/provider/gitlab/gitlab.go
  31. 10 1
      pkg/provider/gitlab/gitlab_test.go
  32. 10 10
      pkg/provider/ibm/provider.go
  33. 22 13
      pkg/provider/ibm/provider_test.go
  34. 8 8
      pkg/provider/oracle/oracle.go
  35. 10 1
      pkg/provider/oracle/oracle_test.go
  36. 2 2
      pkg/provider/provider.go
  37. 2 2
      pkg/provider/schema/schema_test.go
  38. 5 5
      pkg/provider/vault/vault.go
  39. 6 6
      pkg/provider/vault/vault_test.go
  40. 6 6
      pkg/provider/webhook/webhook.go
  41. 3 5
      pkg/provider/webhook/webhook_test.go
  42. 5 5
      pkg/provider/yandex/lockbox/lockbox.go
  43. 12 4
      pkg/provider/yandex/lockbox/lockbox_test.go

+ 24 - 1
apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -118,13 +118,36 @@ type ExternalSecretData struct {
 
 
 // ExternalSecretDataRemoteRef defines Provider data location.
 // ExternalSecretDataRemoteRef defines Provider data location.
 type ExternalSecretDataRemoteRef struct {
 type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+}
+
+// ExternalSecretDataFromRemoteRef defines Provider data location.
+type ExternalSecretDataFromRemoteRef struct {
 	// Used to select a specific version and property from the secret
 	// Used to select a specific version and property from the secret
 	// +optional
 	// +optional
 	Extract ExternalSecretExtract `json:"extract,omitempty"`
 	Extract ExternalSecretExtract `json:"extract,omitempty"`
 	// Used to find secrets based on tags or regular expressions
 	// Used to find secrets based on tags or regular expressions
+	// +optional
 	Find ExternalSecretFind `json:"find,omitempty"`
 	Find ExternalSecretFind `json:"find,omitempty"`
 }
 }
 
 
+func (ref ExternalSecretDataFromRemoteRef) GetDataRemoteRef() ExternalSecretDataRemoteRef {
+	return ExternalSecretDataRemoteRef{
+		Key:      ref.Extract.Key,
+		Property: ref.Extract.Property,
+		Version:  ref.Extract.Version,
+	}
+}
+
 type ExternalSecretExtract struct {
 type ExternalSecretExtract struct {
 	// Key is the key used in the Provider
 	// Key is the key used in the Provider
 	// +optional
 	// +optional
@@ -174,7 +197,7 @@ type ExternalSecretSpec struct {
 	// DataFrom is used to fetch all properties from a specific Provider data
 	// DataFrom is used to fetch all properties from a specific Provider data
 	// If multiple entries are specified, the Secret keys are merged in the specified order
 	// If multiple entries are specified, the Secret keys are merged in the specified order
 	// +optional
 	// +optional
-	DataFrom []ExternalSecretDataRemoteRef `json:"dataFrom,omitempty"`
+	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
 }
 }
 
 
 type ExternalSecretConditionType string
 type ExternalSecretConditionType string

+ 19 - 6
apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -389,7 +389,7 @@ func (in *ExternalSecret) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
 func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
 	*out = *in
 	*out = *in
-	in.RemoteRef.DeepCopyInto(&out.RemoteRef)
+	out.RemoteRef = in.RemoteRef
 }
 }
 
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
@@ -403,12 +403,27 @@ func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
 }
 }
 
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
 	*out = *in
 	*out = *in
 	out.Extract = in.Extract
 	out.Extract = in.Extract
 	in.Find.DeepCopyInto(&out.Find)
 	in.Find.DeepCopyInto(&out.Find)
 }
 }
 
 
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataFromRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+	*out = *in
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
 func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
 func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
 	if in == nil {
 	if in == nil {
@@ -502,13 +517,11 @@ func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
 	if in.Data != nil {
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		in, out := &in.Data, &out.Data
 		*out = make([]ExternalSecretData, len(*in))
 		*out = make([]ExternalSecretData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+		copy(*out, *in)
 	}
 	}
 	if in.DataFrom != nil {
 	if in.DataFrom != nil {
 		in, out := &in.DataFrom, &out.DataFrom
 		in, out := &in.DataFrom, &out.DataFrom
-		*out = make([]ExternalSecretDataRemoteRef, len(*in))
+		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
 		for i := range *in {
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 		}

+ 15 - 36
deploy/crds/external-secrets.io_externalsecrets.yaml

@@ -59,41 +59,19 @@ spec:
                       description: ExternalSecretDataRemoteRef defines Provider data
                       description: ExternalSecretDataRemoteRef defines Provider data
                         location.
                         location.
                       properties:
                       properties:
-                        extract:
-                          description: Used to select a specific version and property
-                            from the secret
-                          properties:
-                            key:
-                              description: Key is the key used in the Provider
-                              type: string
-                            property:
-                              description: Used to select a specific property of the
-                                Provider value (if a map), if supported
-                              type: string
-                            version:
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: string
-                          type: object
-                        find:
-                          description: Used to find secrets based on tags or regular
-                            expressions
-                          properties:
-                            name:
-                              description: Key is the key used in the Provider
-                              properties:
-                                regexp:
-                                  description: Used to select multiple secrets based
-                                    on a regular expression of the name
-                                  type: string
-                              type: object
-                            tags:
-                              additionalProperties:
-                                type: string
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: object
-                          type: object
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
                       type: object
                       type: object
                     secretKey:
                     secretKey:
                       type: string
                       type: string
@@ -107,7 +85,8 @@ spec:
                   Provider data If multiple entries are specified, the Secret keys
                   Provider data If multiple entries are specified, the Secret keys
                   are merged in the specified order
                   are merged in the specified order
                 items:
                 items:
-                  description: ExternalSecretDataRemoteRef defines Provider data location.
+                  description: ExternalSecretDataFromRemoteRef defines Provider data
+                    location.
                   properties:
                   properties:
                     extract:
                     extract:
                       description: Used to select a specific version and property
                       description: Used to select a specific version and property

+ 2 - 0
docs/api-externalsecret.md

@@ -4,6 +4,8 @@ be transformed and saved as a `Kind=Secret`:
 * tells the operator what secrets should be synced by using `spec.data` to
 * tells the operator what secrets should be synced by using `spec.data` to
   explicitly sync individual keys or use `spec.dataFrom` to get **all values**
   explicitly sync individual keys or use `spec.dataFrom` to get **all values**
   from the external API.
   from the external API.
+* you can also use `spec.dataFrom` to sync many secrets at once, based on a
+  regular expression of their name or on tags/attributes
 * you can specify how the secret should look like by specifying a
 * you can specify how the secret should look like by specifying a
   `spec.target.template`
   `spec.target.template`
 
 

+ 2 - 1
docs/snippets/akeyless-external-secret-json.yaml

@@ -15,4 +15,5 @@ spec:
 
 
   # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
   # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
   dataFrom:
   dataFrom:
-  - key: secret-name # Full path of the secret on Akeyless
+  - extract:
+      key: secret-name # Full path of the secret on Akeyless

+ 3 - 1
docs/snippets/azkv-external-secret.yaml

@@ -38,4 +38,6 @@ spec:
   # dataFrom , return ALL secrets saved in the referenced secretStore
   # dataFrom , return ALL secrets saved in the referenced secretStore
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   dataFrom:
   dataFrom:
-  - name: "*"
+  - find:
+      name:
+        regexp: "regexp-name"

+ 4 - 1
docs/snippets/basic-external-secret.yaml

@@ -17,4 +17,7 @@ spec:
       version: provider-key-version
       version: provider-key-version
       property: provider-key-property
       property: provider-key-property
   dataFrom:
   dataFrom:
-  - key: remote-key-in-the-provider
+  - extract:
+      key: provider-key
+      version: provider-key-version
+      property: provider-key-property

+ 17 - 4
docs/snippets/full-external-secret.yaml

@@ -70,12 +70,25 @@ spec:
         version: provider-key-version
         version: provider-key-version
         property: provider-key-property
         property: provider-key-property
 
 
-  # Used to fetch all properties from the Provider key
+  # Used to fetch the desired property from the Provider key
   # If multiple dataFrom are specified, secrets are merged in the specified order
   # If multiple dataFrom are specified, secrets are merged in the specified order
   dataFrom:
   dataFrom:
-  - key: provider-key
-    version: provider-key-version
-    property: provider-key-property
+  - extract:
+      key: provider-key
+      version: provider-key-version
+      property: provider-key-property
+
+  # Used to fetch many secrets based on a regular expression of their name
+  dataFrom:
+  - find:
+      name:
+        regexp: "regexp-name"
+
+  # Used to fetch many secrets based on the tags (or attributes) in the Provider
+  dataFrom:
+  - find:
+      tags:
+        tag-key: tag-value
 
 
 status:
 status:
   # refreshTime is the time and date the external secret was fetched and
   # refreshTime is the time and date the external secret was fetched and

+ 2 - 1
docs/snippets/gcpsm-data-from-external-secret.yaml

@@ -11,4 +11,5 @@ spec:
     name: secret-to-be-created  # name of the k8s Secret to be created
     name: secret-to-be-created  # name of the k8s Secret to be created
     creationPolicy: Owner
     creationPolicy: Owner
   dataFrom:
   dataFrom:
-  - key: all-keys-example-secret  # name of the GCPSM secret
+  - extract:
+      key: all-keys-example-secret # name of the GCPSM secret

+ 2 - 1
docs/snippets/gitlab-external-secret-json.yaml

@@ -15,4 +15,5 @@ spec:
 
 
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   # each secret name in the KV will be used as the secret key in the SECRET k8s target object
   dataFrom:
   dataFrom:
-  - key: "myJsonVariable" # Key of the variable on Gitlab
+  - extract:
+      key: all-keys-example-secret # Key of the variable on Gitlab

+ 2 - 1
docs/snippets/oracle-external-secret.yaml

@@ -11,4 +11,5 @@ spec:
     name: secret-to-be-created # Name for the secret on the cluster
     name: secret-to-be-created # Name for the secret on the cluster
     creationPolicy: Owner
     creationPolicy: Owner
   dataFrom:
   dataFrom:
-    - key: the-secret-name
+  - extract:
+      key: the-secret-name

+ 25 - 53
e2e/suite/common/common.go

@@ -52,17 +52,13 @@ func SimpleDataSync(f *framework.Framework) (string, func(*framework.TestCase))
 			{
 			{
 				SecretKey: secretKey1,
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey1,
-					},
+					Key: secretKey1,
 				},
 				},
 			},
 			},
 			{
 			{
 				SecretKey: secretKey2,
 				SecretKey: secretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey2,
-					},
+					Key: secretKey2,
 				},
 				},
 			},
 			},
 		}
 		}
@@ -89,9 +85,7 @@ func SyncWithoutTargetName(f *framework.Framework) (string, func(*framework.Test
 			{
 			{
 				SecretKey: secretKey1,
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: secretKey1,
-					},
+					Key: secretKey1,
 				},
 				},
 			},
 			},
 		}
 		}
@@ -121,19 +115,15 @@ func JSONDataWithProperty(f *framework.Framework) (string, func(*framework.TestC
 			{
 			{
 				SecretKey: secretKey1,
 				SecretKey: secretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "foo1",
-					},
+					Key:      secretKey1,
+					Property: "foo1",
 				},
 				},
 			},
 			},
 			{
 			{
 				SecretKey: secretKey2,
 				SecretKey: secretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey2,
-						Property: "bar2",
-					},
+					Key:      secretKey2,
+					Property: "bar2",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -160,10 +150,8 @@ func JSONDataWithoutTargetName(f *framework.Framework) (string, func(*framework.
 			{
 			{
 				SecretKey: secretKey,
 				SecretKey: secretKey,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey,
-						Property: "foo",
-					},
+					Key:      secretKey,
+					Property: "foo",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -213,19 +201,15 @@ func JSONDataWithTemplate(f *framework.Framework) (string, func(*framework.TestC
 			{
 			{
 				SecretKey: "one",
 				SecretKey: "one",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "foo1",
-					},
+					Key:      secretKey1,
+					Property: "foo1",
 				},
 				},
 			},
 			},
 			{
 			{
 				SecretKey: "two",
 				SecretKey: "two",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey2,
-						Property: "bar2",
-					},
+					Key:      secretKey2,
+					Property: "bar2",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -251,7 +235,7 @@ func JSONDataFromSync(f *framework.Framework) (string, func(*framework.TestCase)
 				targetSecretKey2: []byte(targetSecretValue2),
 				targetSecretKey2: []byte(targetSecretValue2),
 			},
 			},
 		}
 		}
-		tc.ExternalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.ExternalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: secretKey1,
 					Key: secretKey1,
@@ -295,19 +279,15 @@ func NestedJSONWithGJSON(f *framework.Framework) (string, func(*framework.TestCa
 			{
 			{
 				SecretKey: targetSecretKey1,
 				SecretKey: targetSecretKey1,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "name.first",
-					},
+					Key:      secretKey1,
+					Property: "name.first",
 				},
 				},
 			},
 			},
 			{
 			{
 				SecretKey: targetSecretKey2,
 				SecretKey: targetSecretKey2,
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      secretKey1,
-						Property: "friends.1.first",
-					},
+					Key:      secretKey1,
+					Property: "friends.1.first",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -337,10 +317,8 @@ func DockerJSONConfig(f *framework.Framework) (string, func(*framework.TestCase)
 			{
 			{
 				SecretKey: "mysecret",
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "dockerconfig",
-					},
+					Key:      cloudSecretName,
+					Property: "dockerconfig",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -377,10 +355,8 @@ func DataPropertyDockerconfigJSON(f *framework.Framework) (string, func(*framewo
 			{
 			{
 				SecretKey: "mysecret",
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "dockerconfig",
-					},
+					Key:      cloudSecretName,
+					Property: "dockerconfig",
 				},
 				},
 			},
 			},
 		}
 		}
@@ -453,9 +429,7 @@ func SSHKeySync(f *framework.Framework) (string, func(*framework.TestCase)) {
 			{
 			{
 				SecretKey: "mysecret",
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key: sshSecretName,
-					},
+					Key: sshSecretName,
 				},
 				},
 			},
 			},
 		}
 		}
@@ -527,10 +501,8 @@ func SSHKeySyncDataProperty(f *framework.Framework) (string, func(*framework.Tes
 			{
 			{
 				SecretKey: "mysecret",
 				SecretKey: "mysecret",
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-					Extract: esv1alpha1.ExternalSecretExtract{
-						Key:      cloudSecretName,
-						Property: "ssh-auth",
-					},
+					Key:      cloudSecretName,
+					Property: "ssh-auth",
 				},
 				},
 			},
 			},
 		}
 		}

+ 1 - 3
e2e/suite/gcp/gcp.go

@@ -138,9 +138,7 @@ x6HaRh+EUwU51von6M9lEF9/p5Q=
 		{
 		{
 			SecretKey: "mysecret",
 			SecretKey: "mysecret",
 			RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 			RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-				Extract: esv1alpha1.ExternalSecretExtract{
-					Key: cloudSecretName,
-				},
+				Key: cloudSecretName,
 			},
 			},
 		},
 		},
 	}
 	}

+ 1 - 0
hack/api-docs/mkdocs.yml

@@ -32,6 +32,7 @@ nav:
     - Getting started: guides-getting-started.md
     - Getting started: guides-getting-started.md
     - Advanced Templating: guides-templating.md
     - Advanced Templating: guides-templating.md
     - All keys, One secret: guides-all-keys-one-secret.md
     - All keys, One secret: guides-all-keys-one-secret.md
+    - Multiple secrets: guides-multiple-secrets.md
     - Common K8S Secret Types: guides-common-k8s-secret-types.md
     - Common K8S Secret Types: guides-common-k8s-secret-types.md
     - Multi Tenancy: guides-multi-tenancy.md
     - Multi Tenancy: guides-multi-tenancy.md
     - Metrics: guides-metrics.md
     - Metrics: guides-metrics.md

+ 1 - 1
pkg/controllers/externalsecret/externalsecret_controller.go

@@ -419,7 +419,7 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient p
 	for _, secretRef := range externalSecret.Spec.Data {
 	for _, secretRef := range externalSecret.Spec.Data {
 		secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef)
 		secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef)
 		if err != nil {
 		if err != nil {
-			return nil, fmt.Errorf(errGetSecretKey, secretRef.RemoteRef.Extract.Key, externalSecret.Name, err)
+			return nil, fmt.Errorf(errGetSecretKey, secretRef.RemoteRef.Key, externalSecret.Name, err)
 		}
 		}
 
 
 		providerData[secretRef.SecretKey] = secretData
 		providerData[secretRef.SecretKey] = secretData

+ 5 - 7
pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -217,10 +217,8 @@ var _ = Describe("ExternalSecret controller", func() {
 						{
 						{
 							SecretKey: targetProp,
 							SecretKey: targetProp,
 							RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
 							RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
-								Extract: esv1alpha1.ExternalSecretExtract{
-									Key:      remoteKey,
-									Property: remoteProperty,
-								},
+								Key:      remoteKey,
+								Property: remoteProperty,
 							},
 							},
 						},
 						},
 					},
 					},
@@ -522,7 +520,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplStaticKey: tplStaticVal,
 				tplStaticKey: tplStaticVal,
 			},
 			},
 		}
 		}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: "datamap",
 					Key: "datamap",
@@ -690,7 +688,7 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	// should be put into the secret
 	syncWithDataFrom := func(tc *testCase) {
 	syncWithDataFrom := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: remoteKey,
 					Key: remoteKey,
@@ -719,7 +717,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 			},
 		}
 		}
 
 
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
 			{
 			{
 				Extract: esv1alpha1.ExternalSecretExtract{
 				Extract: esv1alpha1.ExternalSecretExtract{
 					Key: remoteKey,
 					Key: remoteKey,

+ 6 - 6
pkg/provider/akeyless/akeyless.go

@@ -115,13 +115,13 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 		return nil, err
 		return nil, err
 	}
 	}
 	version := int32(0)
 	version := int32(0)
-	if ref.Extract.Version != "" {
-		i, err := strconv.ParseInt(ref.Extract.Version, 10, 32)
+	if ref.Version != "" {
+		i, err := strconv.ParseInt(ref.Version, 10, 32)
 		if err == nil {
 		if err == nil {
 			version = int32(i)
 			version = int32(i)
 		}
 		}
 	}
 	}
-	value, err := a.Client.GetSecretByType(ref.Extract.Key, token, version)
+	value, err := a.Client.GetSecretByType(ref.Key, token, version)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -130,19 +130,19 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // Implements store.Client.GetSecretMap Interface.
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
 // New version of GetSecretMap.
-func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}
 	}
 
 
-	val, err := a.GetSecret(ctx, ref)
+	val, err := a.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 10 - 1
pkg/provider/akeyless/akeyless_test.go

@@ -29,6 +29,7 @@ type akeylessTestCase struct {
 	apiInput       *fakeakeyless.Input
 	apiInput       *fakeakeyless.Input
 	apiOutput      *fakeakeyless.Output
 	apiOutput      *fakeakeyless.Output
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	expectError    string
 	expectError    string
 	expectedSecret string
 	expectedSecret string
 	// for testing secretmap
 	// for testing secretmap
@@ -40,6 +41,7 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
 		mockClient:     &fakeakeyless.AkeylessMockClient{},
 		mockClient:     &fakeakeyless.AkeylessMockClient{},
 		apiInput:       makeValidInput(),
 		apiInput:       makeValidInput(),
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidOutput(),
 		apiOutput:      makeValidOutput(),
 		expectError:    "",
 		expectError:    "",
 		expectedSecret: "",
 		expectedSecret: "",
@@ -51,6 +53,13 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "1",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Key:     "test-secret",
 			Version: "1",
 			Version: "1",
@@ -149,7 +158,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := Akeyless{}
 	sm := Akeyless{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.Client = v.mockClient
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 9 - 9
pkg/provider/alibaba/kms.go

@@ -116,40 +116,40 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
 	}
 	}
 	kmsRequest := kmssdk.CreateGetSecretValueRequest()
 	kmsRequest := kmssdk.CreateGetSecretValueRequest()
-	kmsRequest.VersionId = ref.Extract.Version
-	kmsRequest.SecretName = ref.Extract.Key
+	kmsRequest.VersionId = ref.Version
+	kmsRequest.SecretName = ref.Key
 	kmsRequest.SetScheme("https")
 	kmsRequest.SetScheme("https")
 	secretOut, err := kms.Client.GetSecretValue(kmsRequest)
 	secretOut, err := kms.Client.GetSecretValue(kmsRequest)
 	if err != nil {
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 		return nil, util.SanitizeErr(err)
 	}
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if secretOut.SecretData != "" {
 		if secretOut.SecretData != "" {
 			return []byte(secretOut.SecretData), nil
 			return []byte(secretOut.SecretData), nil
 		}
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	}
 	var payload string
 	var payload string
 	if secretOut.SecretData != "" {
 	if secretOut.SecretData != "" {
 		payload = secretOut.SecretData
 		payload = secretOut.SecretData
 	}
 	}
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	}
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	data, err := kms.GetSecret(ctx, ref)
+func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	data, err := kms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 10 - 2
pkg/provider/alibaba/kms_test.go

@@ -38,6 +38,7 @@ type keyManagementServiceTestCase struct {
 	apiInput       *kmssdk.GetSecretValueRequest
 	apiInput       *kmssdk.GetSecretValueRequest
 	apiOutput      *kmssdk.GetSecretValueResponse
 	apiOutput      *kmssdk.GetSecretValueResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
 	expectedSecret string
 	expectedSecret string
@@ -50,6 +51,7 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
 		mockClient:     &fakesm.AlibabaMockClient{},
 		mockClient:     &fakesm.AlibabaMockClient{},
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		apiErr:         nil,
 		expectError:    "",
 		expectError:    "",
@@ -62,6 +64,12 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key: secretName,
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key: secretName,
 			Key: secretName,
 		},
 		},
@@ -129,7 +137,7 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 	// good case: custom version set
 	// good case: custom version set
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
 		kmstc.apiOutput.SecretName = "test-example-other"
 		kmstc.apiOutput.SecretName = "test-example-other"
-		kmstc.ref.Extract.Key = "test-example-other"
+		kmstc.ref.Key = "test-example-other"
 		kmstc.apiOutput.SecretData = secretValue
 		kmstc.apiOutput.SecretData = secretValue
 		kmstc.expectedSecret = secretValue
 		kmstc.expectedSecret = secretValue
 	}
 	}
@@ -178,7 +186,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := KeyManagementService{}
 	sm := KeyManagementService{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.Client = v.mockClient
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 9 - 9
pkg/provider/aws/parameterstore/parameterstore.go

@@ -50,38 +50,38 @@ func New(sess client.ConfigProvider) (*ParameterStore, error) {
 
 
 // GetSecret returns a single secret from the provider.
 // GetSecret returns a single secret from the provider.
 func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	log.Info("fetching secret value", "key", ref.Extract.Key)
+	log.Info("fetching secret value", "key", ref.Key)
 	out, err := pm.client.GetParameter(&ssm.GetParameterInput{
 	out, err := pm.client.GetParameter(&ssm.GetParameterInput{
-		Name:           &ref.Extract.Key,
+		Name:           &ref.Key,
 		WithDecryption: aws.Bool(true),
 		WithDecryption: aws.Bool(true),
 	})
 	})
 	if err != nil {
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 		return nil, util.SanitizeErr(err)
 	}
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if out.Parameter.Value != nil {
 		if out.Parameter.Value != nil {
 			return []byte(*out.Parameter.Value), nil
 			return []byte(*out.Parameter.Value), nil
 		}
 		}
-		return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Key)
 	}
 	}
-	val := gjson.Get(*out.Parameter.Value, ref.Extract.Property)
+	val := gjson.Get(*out.Parameter.Value, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	}
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
 	log.Info("fetching secret map", "key", ref.Extract.Key)
-	data, err := pm.GetSecret(ctx, ref)
+	data, err := pm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 12 - 4
pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -32,6 +32,7 @@ type parameterstoreTestCase struct {
 	apiInput       *ssm.GetParameterInput
 	apiInput       *ssm.GetParameterInput
 	apiOutput      *ssm.GetParameterOutput
 	apiOutput      *ssm.GetParameterOutput
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
 	expectedSecret string
 	expectedSecret string
@@ -44,6 +45,7 @@ func makeValidParameterStoreTestCase() *parameterstoreTestCase {
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		remoteRef:      makeValidRemoteRef(),
 		remoteRef:      makeValidRemoteRef(),
+		remoteRefFrom:  makeValidRemoteRefFrom(),
 		apiErr:         nil,
 		apiErr:         nil,
 		expectError:    "",
 		expectError:    "",
 		expectedSecret: "",
 		expectedSecret: "",
@@ -68,6 +70,12 @@ func makeValidAPIOutput() *ssm.GetParameterOutput {
 
 
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key: "/baz",
+	}
+}
+
+func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key: "/baz",
 			Key: "/baz",
 		},
 		},
@@ -96,20 +104,20 @@ func TestGetSecret(t *testing.T) {
 	setExtractProperty := func(pstc *parameterstoreTestCase) {
 	setExtractProperty := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
 		pstc.expectedSecret = "bang"
 		pstc.expectedSecret = "bang"
-		pstc.remoteRef.Extract.Property = "/shmoo"
+		pstc.remoteRef.Property = "/shmoo"
 	}
 	}
 
 
 	// bad case: missing property
 	// bad case: missing property
 	setMissingProperty := func(pstc *parameterstoreTestCase) {
 	setMissingProperty := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
 		pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
-		pstc.remoteRef.Extract.Property = "INVALPROP"
+		pstc.remoteRef.Property = "INVALPROP"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 	}
 	}
 
 
 	// bad case: extract property failure due to invalid json
 	// bad case: extract property failure due to invalid json
 	setPropertyFail := func(pstc *parameterstoreTestCase) {
 	setPropertyFail := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter.Value = aws.String(`------`)
 		pstc.apiOutput.Parameter.Value = aws.String(`------`)
-		pstc.remoteRef.Extract.Property = "INVALPROP"
+		pstc.remoteRef.Property = "INVALPROP"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 		pstc.expectError = "key INVALPROP does not exist in secret"
 	}
 	}
 
 
@@ -176,7 +184,7 @@ func TestGetSecretMap(t *testing.T) {
 	ps := ParameterStore{}
 	ps := ParameterStore{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		ps.client = v.fakeClient
 		ps.client = v.fakeClient
-		out, err := ps.GetSecretMap(context.Background(), *v.remoteRef)
+		out, err := ps.GetSecretMap(context.Background(), *v.remoteRefFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 13 - 13
pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -52,18 +52,18 @@ func New(sess client.ConfigProvider) (*SecretsManager, error) {
 
 
 func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
 func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
 	ver := "AWSCURRENT"
 	ver := "AWSCURRENT"
-	if ref.Extract.Version != "" {
-		ver = ref.Extract.Version
+	if ref.Version != "" {
+		ver = ref.Version
 	}
 	}
-	log.Info("fetching secret value", "key", ref.Extract.Key, "version", ver)
+	log.Info("fetching secret value", "key", ref.Key, "version", ver)
 
 
-	cacheKey := fmt.Sprintf("%s#%s", ref.Extract.Key, ver)
+	cacheKey := fmt.Sprintf("%s#%s", ref.Key, ver)
 	if secretOut, found := sm.cache[cacheKey]; found {
 	if secretOut, found := sm.cache[cacheKey]; found {
-		log.Info("found secret in cache", "key", ref.Extract.Key, "version", ver)
+		log.Info("found secret in cache", "key", ref.Key, "version", ver)
 		return secretOut, nil
 		return secretOut, nil
 	}
 	}
 	secretOut, err := sm.client.GetSecretValue(&awssm.GetSecretValueInput{
 	secretOut, err := sm.client.GetSecretValue(&awssm.GetSecretValueInput{
-		SecretId:     &ref.Extract.Key,
+		SecretId:     &ref.Key,
 		VersionStage: &ver,
 		VersionStage: &ver,
 	})
 	})
 	if err != nil {
 	if err != nil {
@@ -80,14 +80,14 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 	if err != nil {
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 		return nil, util.SanitizeErr(err)
 	}
 	}
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if secretOut.SecretString != nil {
 		if secretOut.SecretString != nil {
 			return []byte(*secretOut.SecretString), nil
 			return []byte(*secretOut.SecretString), nil
 		}
 		}
 		if secretOut.SecretBinary != nil {
 		if secretOut.SecretBinary != nil {
 			return secretOut.SecretBinary, nil
 			return secretOut.SecretBinary, nil
 		}
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	}
 	var payload string
 	var payload string
 	if secretOut.SecretString != nil {
 	if secretOut.SecretString != nil {
@@ -97,17 +97,17 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 		payload = string(secretOut.SecretBinary)
 		payload = string(secretOut.SecretBinary)
 	}
 	}
 
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	}
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
 	log.Info("fetching secret map", "key", ref.Extract.Key)
-	data, err := sm.GetSecret(ctx, ref)
+	data, err := sm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -131,7 +131,7 @@ func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.Exter
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }

+ 19 - 10
pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -33,6 +33,7 @@ type secretsManagerTestCase struct {
 	apiInput       *awssm.GetSecretValueInput
 	apiInput       *awssm.GetSecretValueInput
 	apiOutput      *awssm.GetSecretValueOutput
 	apiOutput      *awssm.GetSecretValueOutput
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
 	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
 	expectedSecret string
 	expectedSecret string
@@ -49,6 +50,7 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 		fakeClient:     fakesm.NewClient(),
 		fakeClient:     fakesm.NewClient(),
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		remoteRef:      makeValidRemoteRef(),
 		remoteRef:      makeValidRemoteRef(),
+		remoteRefFrom:  makeValidRemoteRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		apiErr:         nil,
 		expectError:    "",
 		expectError:    "",
@@ -61,6 +63,13 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 
 
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "/baz",
+		Version: "AWSCURRENT",
+	}
+}
+
+func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "/baz",
 			Key:     "/baz",
 			Version: "AWSCURRENT",
 			Version: "AWSCURRENT",
@@ -110,20 +119,20 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 	// good case: extract property
 	// good case: extract property
 	// Testing that the property exists in the SecretString
 	// Testing that the property exists in the SecretString
 	setRemoteRefPropertyExistsInKey := func(smtc *secretsManagerTestCase) {
 	setRemoteRefPropertyExistsInKey := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "/shmoo"
+		smtc.remoteRef.Property = "/shmoo"
 		smtc.apiOutput.SecretString = aws.String(`{"/shmoo": "bang"}`)
 		smtc.apiOutput.SecretString = aws.String(`{"/shmoo": "bang"}`)
 		smtc.expectedSecret = "bang"
 		smtc.expectedSecret = "bang"
 	}
 	}
 
 
 	// bad case: missing property
 	// bad case: missing property
 	setRemoteRefMissingProperty := func(smtc *secretsManagerTestCase) {
 	setRemoteRefMissingProperty := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "INVALPROP"
+		smtc.remoteRef.Property = "INVALPROP"
 		smtc.expectError = "key INVALPROP does not exist in secret"
 		smtc.expectError = "key INVALPROP does not exist in secret"
 	}
 	}
 
 
 	// bad case: extract property failure due to invalid json
 	// bad case: extract property failure due to invalid json
 	setRemoteRefMissingPropertyInvalidJSON := func(smtc *secretsManagerTestCase) {
 	setRemoteRefMissingPropertyInvalidJSON := func(smtc *secretsManagerTestCase) {
-		smtc.remoteRef.Extract.Property = "INVALPROP"
+		smtc.remoteRef.Property = "INVALPROP"
 		smtc.apiOutput.SecretString = aws.String(`------`)
 		smtc.apiOutput.SecretString = aws.String(`------`)
 		smtc.expectError = "key INVALPROP does not exist in secret"
 		smtc.expectError = "key INVALPROP does not exist in secret"
 	}
 	}
@@ -146,14 +155,14 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 	setNestedSecretValueJSONParsing := func(smtc *secretsManagerTestCase) {
 	setNestedSecretValueJSONParsing := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = nil
 		smtc.apiOutput.SecretString = nil
 		smtc.apiOutput.SecretBinary = []byte(`{"foobar":{"baz":"nestedval"}}`)
 		smtc.apiOutput.SecretBinary = []byte(`{"foobar":{"baz":"nestedval"}}`)
-		smtc.remoteRef.Extract.Property = "foobar.baz"
+		smtc.remoteRef.Property = "foobar.baz"
 		smtc.expectedSecret = "nestedval"
 		smtc.expectedSecret = "nestedval"
 	}
 	}
 
 
 	// good case: custom version set
 	// good case: custom version set
 	setCustomVersion := func(smtc *secretsManagerTestCase) {
 	setCustomVersion := func(smtc *secretsManagerTestCase) {
 		smtc.apiInput.VersionStage = aws.String("1234")
 		smtc.apiInput.VersionStage = aws.String("1234")
-		smtc.remoteRef.Extract.Version = "1234"
+		smtc.remoteRef.Version = "1234"
 		smtc.apiOutput.SecretString = aws.String("FOOBA!")
 		smtc.apiOutput.SecretString = aws.String("FOOBA!")
 		smtc.expectedSecret = "FOOBA!"
 		smtc.expectedSecret = "FOOBA!"
 	}
 	}
@@ -192,26 +201,26 @@ func TestCaching(t *testing.T) {
 	// over 1
 	// over 1
 	firstCall := func(smtc *secretsManagerTestCase) {
 	firstCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
-		smtc.remoteRef.Extract.Property = "foo"
+		smtc.remoteRef.Property = "foo"
 		smtc.expectedSecret = "bar"
 		smtc.expectedSecret = "bar"
 		smtc.expectedCounter = aws.Int(1)
 		smtc.expectedCounter = aws.Int(1)
 		smtc.fakeClient = fakeClient
 		smtc.fakeClient = fakeClient
 	}
 	}
 	secondCall := func(smtc *secretsManagerTestCase) {
 	secondCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
 		smtc.apiOutput.SecretString = aws.String(`{"foo":"bar", "bar":"vodka"}`)
-		smtc.remoteRef.Extract.Property = "bar"
+		smtc.remoteRef.Property = "bar"
 		smtc.expectedSecret = "vodka"
 		smtc.expectedSecret = "vodka"
 		smtc.expectedCounter = aws.Int(1)
 		smtc.expectedCounter = aws.Int(1)
 		smtc.fakeClient = fakeClient
 		smtc.fakeClient = fakeClient
 	}
 	}
 	notCachedCall := func(smtc *secretsManagerTestCase) {
 	notCachedCall := func(smtc *secretsManagerTestCase) {
 		smtc.apiOutput.SecretString = aws.String(`{"sheldon":"bazinga", "bar":"foo"}`)
 		smtc.apiOutput.SecretString = aws.String(`{"sheldon":"bazinga", "bar":"foo"}`)
-		smtc.remoteRef.Extract.Property = "sheldon"
+		smtc.remoteRef.Property = "sheldon"
 		smtc.expectedSecret = "bazinga"
 		smtc.expectedSecret = "bazinga"
 		smtc.expectedCounter = aws.Int(2)
 		smtc.expectedCounter = aws.Int(2)
 		smtc.fakeClient = fakeClient
 		smtc.fakeClient = fakeClient
 		smtc.apiInput.SecretId = aws.String("xyz")
 		smtc.apiInput.SecretId = aws.String("xyz")
-		smtc.remoteRef.Extract.Key = "xyz" // it should reset the cache since the key is different
+		smtc.remoteRef.Key = "xyz" // it should reset the cache since the key is different
 	}
 	}
 
 
 	cachedCases := []*secretsManagerTestCase{
 	cachedCases := []*secretsManagerTestCase{
@@ -278,7 +287,7 @@ func TestGetSecretMap(t *testing.T) {
 			cache:  make(map[string]*awssm.GetSecretValueOutput),
 			cache:  make(map[string]*awssm.GetSecretValueOutput),
 			client: v.fakeClient,
 			client: v.fakeClient,
 		}
 		}
-		out, err := sm.GetSecretMap(context.Background(), *v.remoteRef)
+		out, err := sm.GetSecretMap(context.Background(), *v.remoteRefFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedErrorString, k, err.Error(), v.expectError)
 			t.Errorf(unexpectedErrorString, k, err.Error(), v.expectError)
 		}
 		}

+ 13 - 12
pkg/provider/azure/keyvault/keyvault.go

@@ -99,8 +99,8 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 		return nil, fmt.Errorf("%s name cannot be empty", objectType)
 		return nil, fmt.Errorf("%s name cannot be empty", objectType)
 	}
 	}
 
 
-	if ref.Extract.Version != "" {
-		version = ref.Extract.Version
+	if ref.Version != "" {
+		version = ref.Version
 	}
 	}
 
 
 	switch objectType {
 	switch objectType {
@@ -111,12 +111,12 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 		if err != nil {
 		if err != nil {
 			return nil, err
 			return nil, err
 		}
 		}
-		if ref.Extract.Property == "" {
+		if ref.Property == "" {
 			return []byte(*secretResp.Value), nil
 			return []byte(*secretResp.Value), nil
 		}
 		}
-		res := gjson.Get(*secretResp.Value, ref.Extract.Property)
+		res := gjson.Get(*secretResp.Value, ref.Property)
 		if !res.Exists() {
 		if !res.Exists() {
-			return nil, fmt.Errorf("property %s does not exist in key %s", ref.Extract.Property, ref.Extract.Key)
+			return nil, fmt.Errorf("property %s does not exist in key %s", ref.Property, ref.Key)
 		}
 		}
 		return []byte(res.String()), err
 		return []byte(res.String()), err
 	case "cert":
 	case "cert":
@@ -143,12 +143,13 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 
 
 // Implements store.Client.GetSecretMap Interface.
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
 // New version of GetSecretMap.
-func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	objectType, secretName := getObjType(ref)
+func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	dataRef := ref.GetDataRemoteRef()
+	objectType, secretName := getObjType(dataRef)
 
 
 	switch objectType {
 	switch objectType {
 	case defaultObjType:
 	case defaultObjType:
-		data, err := a.GetSecret(ctx, ref)
+		data, err := a.GetSecret(ctx, dataRef)
 		if err != nil {
 		if err != nil {
 			return nil, err
 			return nil, err
 		}
 		}
@@ -176,7 +177,7 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	basicClient := a.baseClient
 	basicClient := a.baseClient
 	secretsMap := make(map[string][]byte)
 	secretsMap := make(map[string][]byte)
 	checkTags := len(ref.Find.Tags) > 0
 	checkTags := len(ref.Find.Tags) > 0
@@ -218,12 +219,12 @@ func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecret
 	return secretsMap, nil
 	return secretsMap, nil
 }
 }
 
 
-func okByName(ref esv1alpha1.ExternalSecretDataRemoteRef, secretName string) bool {
+func okByName(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secretName string) bool {
 	matches, _ := regexp.MatchString(ref.Find.Name.RegExp, secretName)
 	matches, _ := regexp.MatchString(ref.Find.Name.RegExp, secretName)
 	return matches
 	return matches
 }
 }
 
 
-func okByTags(ref esv1alpha1.ExternalSecretDataRemoteRef, secret keyvault.SecretItem) bool {
+func okByTags(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) bool {
 	tagsFound := true
 	tagsFound := true
 	for k, v := range ref.Find.Tags {
 	for k, v := range ref.Find.Tags {
 		if val, ok := secret.Tags[k]; !ok || *val != v {
 		if val, ok := secret.Tags[k]; !ok || *val != v {
@@ -333,7 +334,7 @@ func (a *Azure) Close(ctx context.Context) error {
 func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
 func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
 	objectType := defaultObjType
 	objectType := defaultObjType
 
 
-	secretName := ref.Extract.Key
+	secretName := ref.Key
 	nameSplitted := strings.Split(secretName, "/")
 	nameSplitted := strings.Split(secretName, "/")
 
 
 	if len(nameSplitted) > 1 {
 	if len(nameSplitted) > 1 {

+ 31 - 22
pkg/provider/azure/keyvault/keyvault_test.go

@@ -39,6 +39,7 @@ type secretManagerTestCase struct {
 	secretVersion  string
 	secretVersion  string
 	serviceURL     string
 	serviceURL     string
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	apiErr         error
 	secretOutput   keyvault.SecretBundle
 	secretOutput   keyvault.SecretBundle
 	keyOutput      keyvault.KeyBundle
 	keyOutput      keyvault.KeyBundle
@@ -57,6 +58,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		secretName:     "MySecret",
 		secretName:     "MySecret",
 		secretVersion:  "",
 		secretVersion:  "",
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		secretOutput:   keyvault.SecretBundle{Value: &secretString},
 		secretOutput:   keyvault.SecretBundle{Value: &secretString},
 		serviceURL:     "",
 		serviceURL:     "",
 		apiErr:         nil,
 		apiErr:         nil,
@@ -188,7 +190,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	}
 	}
 
 
 	badNoNameSecret := func(smtc *secretManagerTestCase) {
 	badNoNameSecret := func(smtc *secretManagerTestCase) {
-		smtc.ref.Extract.Key = ""
+		smtc.ref.Key = ""
 		smtc.expectedSecret = ""
 		smtc.expectedSecret = ""
 		smtc.secretName = "secret/"
 		smtc.secretName = "secret/"
 		smtc.expectError = fmt.Sprintf("%s name cannot be empty", "secret")
 		smtc.expectError = fmt.Sprintf("%s name cannot be empty", "secret")
@@ -199,8 +201,8 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 			Value: &secretString,
 		}
 		}
-		smtc.ref.Extract.Version = "v1"
-		smtc.secretVersion = smtc.ref.Extract.Version
+		smtc.ref.Version = "v1"
+		smtc.secretVersion = smtc.ref.Version
 	}
 	}
 
 
 	setSecretWithProperty := func(smtc *secretManagerTestCase) {
 	setSecretWithProperty := func(smtc *secretManagerTestCase) {
@@ -209,7 +211,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 			Value: &jsonString,
 		}
 		}
-		smtc.ref.Extract.Property = "Name"
+		smtc.ref.Property = "Name"
 	}
 	}
 
 
 	badSecretWithProperty := func(smtc *secretManagerTestCase) {
 	badSecretWithProperty := func(smtc *secretManagerTestCase) {
@@ -218,8 +220,8 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 			Value: &jsonString,
 		}
 		}
-		smtc.ref.Extract.Property = "Age"
-		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Extract.Property, smtc.ref.Extract.Key)
+		smtc.ref.Property = "Age"
+		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 	}
 	}
 
 
@@ -230,7 +232,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubRSA)),
 			Key: newKVJWK([]byte(jwkPubRSA)),
 		}
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 	}
 
 
 	// // good case: key set
 	// // good case: key set
@@ -240,7 +242,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubEC)),
 			Key: newKVJWK([]byte(jwkPubEC)),
 		}
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 	}
 
 
 	// // good case: key set
 	// // good case: key set
@@ -251,14 +253,14 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 		smtc.certOutput = keyvault.CertificateBundle{
 		smtc.certOutput = keyvault.CertificateBundle{
 			Cer: &byteArrString,
 			Cer: &byteArrString,
 		}
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.ref.Key = smtc.secretName
 	}
 	}
 
 
 	badSecretType := func(smtc *secretManagerTestCase) {
 	badSecretType := func(smtc *secretManagerTestCase) {
 		smtc.secretName = "name"
 		smtc.secretName = "name"
 		smtc.expectedSecret = ""
 		smtc.expectedSecret = ""
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
-		smtc.ref.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
+		smtc.ref.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
 	}
 	}
 
 
 	successCases := []*secretManagerTestCase{
 	successCases := []*secretManagerTestCase{
@@ -313,7 +315,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 			Value: &jsonString,
 		}
 		}
-		smtc.ref.Extract.Property = "Address"
+		smtc.refFrom.Extract.Property = "Address"
 
 
 		smtc.expectedData["Street"] = []byte("Myroad st.")
 		smtc.expectedData["Street"] = []byte("Myroad st.")
 		smtc.expectedData["CP"] = []byte("J4K4T4")
 		smtc.expectedData["CP"] = []byte("J4K4T4")
@@ -325,8 +327,8 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &jsonString,
 			Value: &jsonString,
 		}
 		}
-		smtc.ref.Extract.Property = "Age"
-		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Extract.Property, smtc.ref.Extract.Key)
+		smtc.refFrom.Extract.Property = "Age"
+		smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 		smtc.apiErr = fmt.Errorf(smtc.expectError)
 	}
 	}
 
 
@@ -336,7 +338,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.keyOutput = keyvault.KeyBundle{
 		smtc.keyOutput = keyvault.KeyBundle{
 			Key: newKVJWK([]byte(jwkPubRSA)),
 			Key: newKVJWK([]byte(jwkPubRSA)),
 		}
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.refFrom.Extract.Key = smtc.secretName
 		smtc.expectError = "cannot get use dataFrom to get key secret"
 		smtc.expectError = "cannot get use dataFrom to get key secret"
 	}
 	}
 
 
@@ -347,7 +349,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.certOutput = keyvault.CertificateBundle{
 		smtc.certOutput = keyvault.CertificateBundle{
 			Cer: &byteArrString,
 			Cer: &byteArrString,
 		}
 		}
-		smtc.ref.Extract.Key = smtc.secretName
+		smtc.refFrom.Extract.Key = smtc.secretName
 		smtc.expectError = "cannot get use dataFrom to get certificate secret"
 		smtc.expectError = "cannot get use dataFrom to get certificate secret"
 	}
 	}
 
 
@@ -355,7 +357,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 		smtc.secretName = "name"
 		smtc.secretName = "name"
 		smtc.expectedSecret = ""
 		smtc.expectedSecret = ""
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
 		smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
-		smtc.ref.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
+		smtc.refFrom.Extract.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
 	}
 	}
 
 
 	successCases := []*secretManagerTestCase{
 	successCases := []*secretManagerTestCase{
@@ -371,7 +373,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	sm := Azure{}
 	sm := Azure{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !utils.ErrorContains(err, v.expectError) {
 		if !utils.ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}
@@ -398,7 +400,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	}
 	}
 
 
 	setOneSecretByName := func(smtc *secretManagerTestCase) {
 	setOneSecretByName := func(smtc *secretManagerTestCase) {
-		smtc.ref.Find.Name.RegExp = regexp
+		smtc.refFrom.Find.Name.RegExp = regexp
 		enabledAtt := keyvault.SecretAttributes{
 		enabledAtt := keyvault.SecretAttributes{
 			Enabled: &enabled,
 			Enabled: &enabled,
 		}
 		}
@@ -426,7 +428,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	}
 	}
 
 
 	setTwoSecretsByName := func(smtc *secretManagerTestCase) {
 	setTwoSecretsByName := func(smtc *secretManagerTestCase) {
-		smtc.ref.Find.Name.RegExp = regexp
+		smtc.refFrom.Find.Name.RegExp = regexp
 		enabledAtt := keyvault.SecretAttributes{
 		enabledAtt := keyvault.SecretAttributes{
 			Enabled: &enabled,
 			Enabled: &enabled,
 		}
 		}
@@ -482,7 +484,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 			Value: &secretString,
 		}
 		}
-		smtc.ref.Find.Tags = map[string]string{"environment": environment}
+		smtc.refFrom.Find.Tags = map[string]string{"environment": environment}
 
 
 		smtc.expectedData[secretName] = []byte(secretString)
 		smtc.expectedData[secretName] = []byte(secretString)
 	}
 	}
@@ -512,7 +514,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 		smtc.secretOutput = keyvault.SecretBundle{
 		smtc.secretOutput = keyvault.SecretBundle{
 			Value: &secretString,
 			Value: &secretString,
 		}
 		}
-		smtc.ref.Find.Tags = map[string]string{"environment": environment, "author": author}
+		smtc.refFrom.Find.Tags = map[string]string{"environment": environment, "author": author}
 
 
 		smtc.expectedData[secretName] = []byte(secretString)
 		smtc.expectedData[secretName] = []byte(secretString)
 	}
 	}
@@ -527,7 +529,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	sm := Azure{}
 	sm := Azure{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
-		out, err := sm.GetAllSecrets(context.Background(), *v.ref)
+		out, err := sm.GetAllSecrets(context.Background(), *v.refFrom)
 		if !utils.ErrorContains(err, v.expectError) {
 		if !utils.ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}
@@ -539,6 +541,13 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Key:     "test-secret",
 			Version: "default",
 			Version: "default",

+ 5 - 5
pkg/provider/fake/fake.go

@@ -31,7 +31,7 @@ type Client struct {
 	NewFn func(context.Context, esv1alpha1.GenericStore, client.Client,
 	NewFn func(context.Context, esv1alpha1.GenericStore, client.Client,
 		string) (provider.SecretsClient, error)
 		string) (provider.SecretsClient, error)
 	GetSecretFn    func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
 	GetSecretFn    func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
-	GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 }
 }
 
 
 // New returns a fake provider/client.
 // New returns a fake provider/client.
@@ -40,7 +40,7 @@ func New() *Client {
 		GetSecretFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 		GetSecretFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 			return nil, nil
 			return nil, nil
 		},
 		},
-		GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+		GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 			return nil, nil
 			return nil, nil
 		},
 		},
 	}
 	}
@@ -72,13 +72,13 @@ func (v *Client) WithGetSecret(secData []byte, err error) *Client {
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // GetSecretMap imeplements the provider.Provider interface.
 // GetSecretMap imeplements the provider.Provider interface.
-func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.GetSecretMapFn(ctx, ref)
 	return v.GetSecretMapFn(ctx, ref)
 }
 }
 func (v *Client) Close(ctx context.Context) error {
 func (v *Client) Close(ctx context.Context) error {
@@ -87,7 +87,7 @@ func (v *Client) Close(ctx context.Context) error {
 
 
 // WithGetSecretMap wraps the secret data map returned by this fake provider.
 // WithGetSecretMap wraps the secret data map returned by this fake provider.
 func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client {
 func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client {
-	v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+	v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 		return secData, err
 		return secData, err
 	}
 	}
 	return v
 	return v

+ 9 - 9
pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -167,24 +167,24 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
 	}
 
 
-	version := ref.Extract.Version
+	version := ref.Version
 	if version == "" {
 	if version == "" {
 		version = defaultVersion
 		version = defaultVersion
 	}
 	}
 
 
 	req := &secretmanagerpb.AccessSecretVersionRequest{
 	req := &secretmanagerpb.AccessSecretVersionRequest{
-		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Extract.Key, version),
+		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", sm.projectID, ref.Key, version),
 	}
 	}
 	result, err := sm.SecretManagerClient.AccessSecretVersion(ctx, req)
 	result, err := sm.SecretManagerClient.AccessSecretVersion(ctx, req)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errClientGetSecretAccess, err)
 		return nil, fmt.Errorf(errClientGetSecretAccess, err)
 	}
 	}
 
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if result.Payload.Data != nil {
 		if result.Payload.Data != nil {
 			return result.Payload.Data, nil
 			return result.Payload.Data, nil
 		}
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
 	}
 	}
 
 
 	var payload string
 	var payload string
@@ -192,27 +192,27 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 		payload = string(result.Payload.Data)
 		payload = string(result.Payload.Data)
 	}
 	}
 
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	}
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if sm.SecretManagerClient == nil || sm.projectID == "" {
 	if sm.SecretManagerClient == nil || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
 	}
 
 
-	data, err := sm.GetSecret(ctx, ref)
+	data, err := sm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 14 - 7
pkg/provider/gcp/secretmanager/secretsmanager_test.go

@@ -31,6 +31,7 @@ type secretManagerTestCase struct {
 	apiInput       *secretmanagerpb.AccessSecretVersionRequest
 	apiInput       *secretmanagerpb.AccessSecretVersionRequest
 	apiOutput      *secretmanagerpb.AccessSecretVersionResponse
 	apiOutput      *secretmanagerpb.AccessSecretVersionResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	projectID      string
 	projectID      string
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
@@ -44,6 +45,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		mockClient:     &fakesm.MockSMClient{},
 		mockClient:     &fakesm.MockSMClient{},
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		projectID:      "default",
 		projectID:      "default",
 		apiErr:         nil,
 		apiErr:         nil,
@@ -58,6 +60,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "/baz",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "/baz",
 			Key:     "/baz",
 			Version: "default",
 			Version: "default",
@@ -113,11 +122,9 @@ func TestSecretManagerGetSecret(t *testing.T) {
 	// good case: ref with
 	// good case: ref with
 	setCustomRef := func(smtc *secretManagerTestCase) {
 	setCustomRef := func(smtc *secretManagerTestCase) {
 		smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
 		smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
-			Extract: esv1alpha1.ExternalSecretExtract{
-				Key:      "/baz",
-				Version:  "default",
-				Property: "name.first",
-			},
+			Key:      "/baz",
+			Version:  "default",
+			Property: "name.first",
 		}
 		}
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/default"
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/default"
 		smtc.apiOutput.Payload.Data = []byte(
 		smtc.apiOutput.Payload.Data = []byte(
@@ -134,7 +141,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
 
 
 	// good case: custom version set
 	// good case: custom version set
 	setCustomVersion := func(smtc *secretManagerTestCase) {
 	setCustomVersion := func(smtc *secretManagerTestCase) {
-		smtc.ref.Extract.Version = "1234"
+		smtc.ref.Version = "1234"
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/1234"
 		smtc.apiInput.Name = "projects/default/secrets//baz/versions/1234"
 		smtc.apiOutput.Payload.Data = []byte("FOOBA!")
 		smtc.apiOutput.Payload.Data = []byte("FOOBA!")
 		smtc.expectedSecret = "FOOBA!"
 		smtc.expectedSecret = "FOOBA!"
@@ -195,7 +202,7 @@ func TestGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.projectID = v.projectID
 		sm.projectID = v.projectID
 		sm.SecretManagerClient = v.mockClient
 		sm.SecretManagerClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 9 - 9
pkg/provider/gitlab/gitlab.go

@@ -153,7 +153,7 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 		return nil, fmt.Errorf(errUninitalizedGitlabProvider)
 		return nil, fmt.Errorf(errUninitalizedGitlabProvider)
 	}
 	}
 	// Need to replace hyphens with underscores to work with Gitlab API
 	// Need to replace hyphens with underscores to work with Gitlab API
-	ref.Extract.Key = strings.ReplaceAll(ref.Extract.Key, "-", "_")
+	ref.Key = strings.ReplaceAll(ref.Key, "-", "_")
 	// Retrieves a gitlab variable in the form
 	// Retrieves a gitlab variable in the form
 	// {
 	// {
 	// 	"key": "TEST_VARIABLE_1",
 	// 	"key": "TEST_VARIABLE_1",
@@ -161,16 +161,16 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 	// 	"value": "TEST_1",
 	// 	"value": "TEST_1",
 	// 	"protected": false,
 	// 	"protected": false,
 	// 	"masked": true
 	// 	"masked": true
-	data, _, err := g.client.GetVariable(g.projectID, ref.Extract.Key, nil) // Optional 'filter' parameter could be added later
+	data, _, err := g.client.GetVariable(g.projectID, ref.Key, nil) // Optional 'filter' parameter could be added later
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
 
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		if data.Value != "" {
 		if data.Value != "" {
 			return []byte(data.Value), nil
 			return []byte(data.Value), nil
 		}
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Extract.Key)
+		return nil, fmt.Errorf("invalid secret received. no secret string for key: %s", ref.Key)
 	}
 	}
 
 
 	var payload string
 	var payload string
@@ -178,23 +178,23 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 		payload = data.Value
 		payload = data.Value
 	}
 	}
 
 
-	val := gjson.Get(payload, ref.Extract.Property)
+	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 	}
 	}
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
-func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// Gets a secret as normal, expecting secret value to be a json object
 	// Gets a secret as normal, expecting secret value to be a json object
-	data, err := g.GetSecret(ctx, ref)
+	data, err := g.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("error getting secret %s: %w", ref.Extract.Key, err)
 		return nil, fmt.Errorf("error getting secret %s: %w", ref.Extract.Key, err)
 	}
 	}

+ 10 - 1
pkg/provider/gitlab/gitlab_test.go

@@ -32,6 +32,7 @@ type secretManagerTestCase struct {
 	apiInputKey       string
 	apiInputKey       string
 	apiOutput         *gitlab.ProjectVariable
 	apiOutput         *gitlab.ProjectVariable
 	ref               *esv1alpha1.ExternalSecretDataRemoteRef
 	ref               *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom           *esv1alpha1.ExternalSecretDataFromRemoteRef
 	projectID         *string
 	projectID         *string
 	apiErr            error
 	apiErr            error
 	expectError       string
 	expectError       string
@@ -46,6 +47,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		apiInputProjectID: makeValidAPIInputProjectID(),
 		apiInputProjectID: makeValidAPIInputProjectID(),
 		apiInputKey:       makeValidAPIInputKey(),
 		apiInputKey:       makeValidAPIInputKey(),
 		ref:               makeValidRef(),
 		ref:               makeValidRef(),
+		refFrom:           makeValidRefFrom(),
 		projectID:         nil,
 		projectID:         nil,
 		apiOutput:         makeValidAPIOutput(),
 		apiOutput:         makeValidAPIOutput(),
 		apiErr:            nil,
 		apiErr:            nil,
@@ -59,6 +61,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Key:     "test-secret",
 			Version: "default",
 			Version: "default",
@@ -159,7 +168,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := Gitlab{}
 	sm := Gitlab{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.client = v.mockClient
 		sm.client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 10 - 10
pkg/provider/ibm/provider.go

@@ -95,7 +95,7 @@ func (c *client) setAuth(ctx context.Context) error {
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
@@ -106,7 +106,7 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 	}
 	}
 
 
 	secretType := sm.GetSecretOptionsSecretTypeArbitraryConst
 	secretType := sm.GetSecretOptionsSecretTypeArbitraryConst
-	secretName := ref.Extract.Key
+	secretName := ref.Key
 	nameSplitted := strings.Split(secretName, "/")
 	nameSplitted := strings.Split(secretName, "/")
 
 
 	if len(nameSplitted) > 1 {
 	if len(nameSplitted) > 1 {
@@ -121,7 +121,7 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 
 
 	case sm.CreateSecretOptionsSecretTypeUsernamePasswordConst:
 	case sm.CreateSecretOptionsSecretTypeUsernamePasswordConst:
 
 
-		if ref.Extract.Property == "" {
+		if ref.Property == "" {
 			return nil, fmt.Errorf("remoteRef.property required for secret type username_password")
 			return nil, fmt.Errorf("remoteRef.property required for secret type username_password")
 		}
 		}
 		return getUsernamePasswordSecret(ibm, &secretName, ref)
 		return getUsernamePasswordSecret(ibm, &secretName, ref)
@@ -132,8 +132,8 @@ func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSe
 
 
 	case sm.CreateSecretOptionsSecretTypeImportedCertConst:
 	case sm.CreateSecretOptionsSecretTypeImportedCertConst:
 
 
-		if ref.Extract.Property == "" {
-			return nil, fmt.Errorf("remoteRef.Extract.property required for secret type imported_cert")
+		if ref.Property == "" {
+			return nil, fmt.Errorf("remoteref.Property required for secret type imported_cert")
 		}
 		}
 
 
 		return getImportCertSecret(ibm, &secretName, ref)
 		return getImportCertSecret(ibm, &secretName, ref)
@@ -171,10 +171,10 @@ func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.Ex
 	secret := response.Resources[0].(*sm.SecretResource)
 	secret := response.Resources[0].(*sm.SecretResource)
 	secretData := secret.SecretData.(map[string]interface{})
 	secretData := secret.SecretData.(map[string]interface{})
 
 
-	if val, ok := secretData[ref.Extract.Property]; ok {
+	if val, ok := secretData[ref.Property]; ok {
 		return []byte(val.(string)), nil
 		return []byte(val.(string)), nil
 	}
 	}
-	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 }
 
 
 func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, error) {
 func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, error) {
@@ -206,13 +206,13 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alp
 	secret := response.Resources[0].(*sm.SecretResource)
 	secret := response.Resources[0].(*sm.SecretResource)
 	secretData := secret.SecretData.(map[string]interface{})
 	secretData := secret.SecretData.(map[string]interface{})
 
 
-	if val, ok := secretData[ref.Extract.Property]; ok {
+	if val, ok := secretData[ref.Property]; ok {
 		return []byte(val.(string)), nil
 		return []byte(val.(string)), nil
 	}
 	}
-	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Extract.Property, ref.Extract.Key)
+	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 }
 
 
-func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}
 	}

+ 22 - 13
pkg/provider/ibm/provider_test.go

@@ -37,6 +37,7 @@ type secretManagerTestCase struct {
 	apiInput       *sm.GetSecretOptions
 	apiInput       *sm.GetSecretOptions
 	apiOutput      *sm.GetSecret
 	apiOutput      *sm.GetSecret
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	serviceURL     *string
 	serviceURL     *string
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
@@ -50,6 +51,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		mockClient:     &fakesm.IBMMockClient{},
 		mockClient:     &fakesm.IBMMockClient{},
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		serviceURL:     nil,
 		serviceURL:     nil,
 		apiErr:         nil,
 		apiErr:         nil,
@@ -63,6 +65,13 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Key:     "test-secret",
 			Version: "default",
 			Version: "default",
@@ -148,7 +157,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 				Name:       utilpointer.StringPtr("testyname"),
 				Name:       utilpointer.StringPtr("testyname"),
 				SecretData: secretData,
 				SecretData: secretData,
 			}}
 			}}
-		smtc.ref.Extract.Key = "testyname"
+		smtc.ref.Key = "testyname"
 		smtc.apiInput.ID = utilpointer.StringPtr("testyname")
 		smtc.apiInput.ID = utilpointer.StringPtr("testyname")
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
 		smtc.expectedSecret = secretString
 		smtc.expectedSecret = secretString
@@ -166,7 +175,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretUserPass
+		smtc.ref.Key = secretUserPass
 		smtc.expectError = "remoteRef.property required for secret type username_password"
 		smtc.expectError = "remoteRef.property required for secret type username_password"
 	}
 	}
 
 
@@ -181,8 +190,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretUserPass
-		smtc.ref.Extract.Property = "password"
+		smtc.ref.Key = secretUserPass
+		smtc.ref.Property = "password"
 		smtc.expectedSecret = secretPassword
 		smtc.expectedSecret = secretPassword
 	}
 	}
 
 
@@ -197,7 +206,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "iam_credentials/test-secret"
+		smtc.ref.Key = "iam_credentials/test-secret"
 		smtc.expectedSecret = secretAPIKey
 		smtc.expectedSecret = secretAPIKey
 	}
 	}
 
 
@@ -213,8 +222,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretCert
-		smtc.ref.Extract.Property = "certificate"
+		smtc.ref.Key = secretCert
+		smtc.ref.Property = "certificate"
 		smtc.expectedSecret = secretCertificate
 		smtc.expectedSecret = secretCertificate
 	}
 	}
 
 
@@ -229,8 +238,8 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = secretCert
-		smtc.expectError = "remoteRef.Extract.property required for secret type imported_cert"
+		smtc.ref.Key = secretCert
+		smtc.expectError = "remoteref.Property required for secret type imported_cert"
 	}
 	}
 
 
 	successCases := []*secretManagerTestCase{
 	successCases := []*secretManagerTestCase{
@@ -313,7 +322,7 @@ func TestGetSecretMap(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "username_password/test-secret"
+		smtc.refFrom.Extract.Key = "username_password/test-secret"
 		smtc.expectedData["username"] = []byte(secretUsername)
 		smtc.expectedData["username"] = []byte(secretUsername)
 		smtc.expectedData["password"] = []byte(secretPassword)
 		smtc.expectedData["password"] = []byte(secretPassword)
 	}
 	}
@@ -329,7 +338,7 @@ func TestGetSecretMap(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeIamCredentialsConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "iam_credentials/test-secret"
+		smtc.refFrom.Extract.Key = "iam_credentials/test-secret"
 		smtc.expectedData["apikey"] = []byte(secretAPIKey)
 		smtc.expectedData["apikey"] = []byte(secretAPIKey)
 	}
 	}
 
 
@@ -349,7 +358,7 @@ func TestGetSecretMap(t *testing.T) {
 
 
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiInput.SecretType = core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst)
 		smtc.apiOutput.Resources = resources
 		smtc.apiOutput.Resources = resources
-		smtc.ref.Extract.Key = "imported_cert/test-secret"
+		smtc.refFrom.Extract.Key = "imported_cert/test-secret"
 		smtc.expectedData["certificate"] = []byte(secretCertificate)
 		smtc.expectedData["certificate"] = []byte(secretCertificate)
 		smtc.expectedData["private_key"] = []byte(secretPrivateKey)
 		smtc.expectedData["private_key"] = []byte(secretPrivateKey)
 		smtc.expectedData["intermediate"] = []byte(secretIntermediate)
 		smtc.expectedData["intermediate"] = []byte(secretIntermediate)
@@ -368,7 +377,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := providerIBM{}
 	sm := providerIBM{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.IBMClient = v.mockClient
 		sm.IBMClient = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 8 - 8
pkg/provider/oracle/oracle.go

@@ -132,8 +132,8 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 
 
 	sec, err := vms.Client.GetSecretBundleByName(ctx, secrets.GetSecretBundleByNameRequest{
 	sec, err := vms.Client.GetSecretBundleByName(ctx, secrets.GetSecretBundleByNameRequest{
 		VaultId:    &vms.vault,
 		VaultId:    &vms.vault,
-		SecretName: &ref.Extract.Key,
-		Stage:      secrets.GetSecretBundleByNameStageEnum(ref.Extract.Version),
+		SecretName: &ref.Key,
+		Stage:      secrets.GetSecretBundleByNameStageEnum(ref.Version),
 	})
 	})
 	if err != nil {
 	if err != nil {
 		return nil, util.SanitizeErr(err)
 		return nil, util.SanitizeErr(err)
@@ -149,14 +149,14 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 		return nil, err
 		return nil, err
 	}
 	}
 
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		return payload, nil
 		return payload, nil
 	}
 	}
 
 
-	val := gjson.Get(string(payload), ref.Extract.Property)
+	val := gjson.Get(string(payload), ref.Property)
 
 
 	if !val.Exists() {
 	if !val.Exists() {
-		return nil, fmt.Errorf(errMissingKey, ref.Extract.Key)
+		return nil, fmt.Errorf(errMissingKey, ref.Key)
 	}
 	}
 
 
 	return []byte(val.String()), nil
 	return []byte(val.String()), nil
@@ -164,13 +164,13 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
-func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	data, err := vms.GetSecret(ctx, ref)
+func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	data, err := vms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 10 - 1
pkg/provider/oracle/oracle_test.go

@@ -31,6 +31,7 @@ type vaultTestCase struct {
 	apiInput       *secrets.GetSecretBundleByNameRequest
 	apiInput       *secrets.GetSecretBundleByNameRequest
 	apiOutput      *secrets.GetSecretBundleByNameResponse
 	apiOutput      *secrets.GetSecretBundleByNameResponse
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
 	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	apiErr         error
 	expectError    string
 	expectError    string
 	expectedSecret string
 	expectedSecret string
@@ -43,6 +44,7 @@ func makeValidVaultTestCase() *vaultTestCase {
 		mockClient:     &fakeoracle.OracleMockClient{},
 		mockClient:     &fakeoracle.OracleMockClient{},
 		apiInput:       makeValidAPIInput(),
 		apiInput:       makeValidAPIInput(),
 		ref:            makeValidRef(),
 		ref:            makeValidRef(),
+		refFrom:        makeValidRefFrom(),
 		apiOutput:      makeValidAPIOutput(),
 		apiOutput:      makeValidAPIOutput(),
 		apiErr:         nil,
 		apiErr:         nil,
 		expectError:    "",
 		expectError:    "",
@@ -55,6 +57,13 @@ func makeValidVaultTestCase() *vaultTestCase {
 
 
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
 	return &esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:     "test-secret",
+		Version: "default",
+	}
+}
+
+func makeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     "test-secret",
 			Key:     "test-secret",
 			Version: "default",
 			Version: "default",
@@ -160,7 +169,7 @@ func TestGetSecretMap(t *testing.T) {
 	sm := VaultManagementService{}
 	sm := VaultManagementService{}
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.Client = v.mockClient
 		sm.Client = v.mockClient
-		out, err := sm.GetSecretMap(context.Background(), *v.ref)
+		out, err := sm.GetSecretMap(context.Background(), *v.refFrom)
 		if !ErrorContains(err, v.expectError) {
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		}

+ 2 - 2
pkg/provider/provider.go

@@ -34,10 +34,10 @@ type SecretsClient interface {
 	GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
 	GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
 
 
 	// GetSecretMap returns multiple k/v pairs from the provider
 	// GetSecretMap returns multiple k/v pairs from the provider
-	GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 
 	// GetSecretMap returns all k/v pairs from the provider
 	// GetSecretMap returns all k/v pairs from the provider
-	GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error)
+	GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 
 	Close(ctx context.Context) error
 	Close(ctx context.Context) error
 }
 }

+ 2 - 2
pkg/provider/schema/schema_test.go

@@ -39,13 +39,13 @@ func (p *PP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRem
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }

+ 5 - 5
pkg/provider/vault/vault.go

@@ -153,24 +153,24 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
 }
 }
 
 
 func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	data, err := v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
+	data, err := v.readSecret(ctx, ref.Key, ref.Version)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
-	value, exists := data[ref.Extract.Property]
+	value, exists := data[ref.Property]
 	if !exists {
 	if !exists {
-		return nil, fmt.Errorf(errSecretKeyFmt, ref.Extract.Property)
+		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
 	}
 	}
 	return value, nil
 	return value, nil
 }
 }
 
 
-func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
 	return v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
 }
 }
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }

+ 6 - 6
pkg/provider/vault/vault_test.go

@@ -564,11 +564,11 @@ func TestGetSecretMap(t *testing.T) {
 	}
 	}
 
 
 	type args struct {
 	type args struct {
-		store   *esv1alpha1.VaultProvider
-		kube    kclient.Client
-		vClient Client
-		ns      string
-		data    esv1alpha1.ExternalSecretDataRemoteRef
+		store    *esv1alpha1.VaultProvider
+		kube     kclient.Client
+		vClient  Client
+		ns       string
+		dataFrom esv1alpha1.ExternalSecretDataFromRemoteRef
 	}
 	}
 
 
 	type want struct {
 	type want struct {
@@ -671,7 +671,7 @@ func TestGetSecretMap(t *testing.T) {
 				store:     tc.args.store,
 				store:     tc.args.store,
 				namespace: tc.args.ns,
 				namespace: tc.args.ns,
 			}
 			}
-			_, err := vStore.GetSecretMap(context.Background(), tc.args.data)
+			_, err := vStore.GetSecretMap(context.Background(), tc.args.dataFrom)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nvault.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
 				t.Errorf("\n%s\nvault.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			}

+ 6 - 6
pkg/provider/webhook/webhook.go

@@ -129,12 +129,12 @@ func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDa
 	return result, nil
 	return result, nil
 }
 }
 
 
-func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	provider, err := getProvider(w.store)
 	provider, err := getProvider(w.store)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("failed to get store: %w", err)
 		return nil, fmt.Errorf("failed to get store: %w", err)
 	}
 	}
-	result, err := w.getWebhookData(ctx, provider, ref)
+	result, err := w.getWebhookData(ctx, provider, ref.GetDataRemoteRef())
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -181,9 +181,9 @@ func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecre
 func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
 func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{
 	data := map[string]map[string]string{
 		"remoteRef": {
 		"remoteRef": {
-			"key":      url.QueryEscape(ref.Extract.Key),
-			"version":  url.QueryEscape(ref.Extract.Version),
-			"property": url.QueryEscape(ref.Extract.Property),
+			"key":      url.QueryEscape(ref.Key),
+			"version":  url.QueryEscape(ref.Version),
+			"property": url.QueryEscape(ref.Property),
 		},
 		},
 	}
 	}
 	for _, secref := range secrets {
 	for _, secref := range secrets {
@@ -375,7 +375,7 @@ func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }

+ 3 - 5
pkg/provider/webhook/webhook_test.go

@@ -269,7 +269,7 @@ func runTestCase(tc testCase, t *testing.T) {
 }
 }
 
 
 func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient) {
 func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient) {
-	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
+	testRef := esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:     tc.Args.Key,
 			Key:     tc.Args.Key,
 			Version: tc.Args.Version,
 			Version: tc.Args.Version,
@@ -297,10 +297,8 @@ func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient)
 
 
 func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
 func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
 	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
 	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
-			Key:     tc.Args.Key,
-			Version: tc.Args.Version,
-		},
+		Key:     tc.Args.Key,
+		Version: tc.Args.Version,
 	}
 	}
 	secret, err := client.GetSecret(context.Background(), testRef)
 	secret, err := client.GetSecret(context.Background(), testRef)
 	errStr := ""
 	errStr := ""

+ 5 - 5
pkg/provider/yandex/lockbox/lockbox.go

@@ -226,12 +226,12 @@ type lockboxSecretsClient struct {
 
 
 // GetSecret returns a single secret from the provider.
 // GetSecret returns a single secret from the provider.
 func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
+	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Key, ref.Version)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
 		return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
 	}
 	}
 
 
-	if ref.Extract.Property == "" {
+	if ref.Property == "" {
 		keyToValue := make(map[string]interface{}, len(entries))
 		keyToValue := make(map[string]interface{}, len(entries))
 		for _, entry := range entries {
 		for _, entry := range entries {
 			value, err := getValueAsIs(entry)
 			value, err := getValueAsIs(entry)
@@ -247,7 +247,7 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
 		return out, nil
 		return out, nil
 	}
 	}
 
 
-	entry, err := findEntryByKey(entries, ref.Extract.Property)
+	entry, err := findEntryByKey(entries, ref.Property)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -256,13 +256,13 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
 
 
 // Implements store.Client.GetAllSecrets Interface.
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
 // New version of GetAllSecrets.
-func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	// TO be implemented
 	return map[string][]byte{}, nil
 	return map[string][]byte{}, nil
 }
 }
 
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
 	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)
 		return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)

+ 12 - 4
pkg/provider/yandex/lockbox/lockbox_test.go

@@ -562,7 +562,7 @@ func TestGetSecretMap(t *testing.T) {
 	})
 	})
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
-	data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", ""))
+	data, err := secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", ""))
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
 
 
 	tassert.Equal(
 	tassert.Equal(
@@ -598,7 +598,7 @@ func TestGetSecretMapByVersionID(t *testing.T) {
 	})
 	})
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
-	data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID))
+	data, err := secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", oldVersionID))
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
 
 
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
@@ -608,11 +608,11 @@ func TestGetSecretMapByVersionID(t *testing.T) {
 		textEntry(newKey, newVal),
 		textEntry(newKey, newVal),
 	)
 	)
 
 
-	data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID))
+	data, err = secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", oldVersionID))
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
 	tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
 
 
-	data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", newVersionID))
+	data, err = secretsClient.GetSecretMap(ctx, getRemoteFromDef(secretID, "", newVersionID))
 	tassert.Nil(t, err)
 	tassert.Nil(t, err)
 	tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data)
 	tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data)
 }
 }
@@ -642,6 +642,14 @@ func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName
 
 
 func getRemoteDef(key, property, version string) esv1alpha1.ExternalSecretDataRemoteRef {
 func getRemoteDef(key, property, version string) esv1alpha1.ExternalSecretDataRemoteRef {
 	return esv1alpha1.ExternalSecretDataRemoteRef{
 	return esv1alpha1.ExternalSecretDataRemoteRef{
+		Key:      key,
+		Property: property,
+		Version:  version,
+	}
+}
+
+func getRemoteFromDef(key, property, version string) esv1alpha1.ExternalSecretDataFromRemoteRef {
+	return esv1alpha1.ExternalSecretDataFromRemoteRef{
 		Extract: esv1alpha1.ExternalSecretExtract{
 		Extract: esv1alpha1.ExternalSecretExtract{
 			Key:      key,
 			Key:      key,
 			Property: property,
 			Property: property,