Deployed 17d3e22b8 to main with MkDocs 1.6.1 and mike 1.2.0.dev0

main/guides/templating/index.html

@@ -5411,17 +5411,14 @@ NtFUGA95RGN9s+pl6XY0YARPHf5O76ErC1OZtDTR5RdyQfcM+94gYZsexsXl0aQO
 <span class="w">        </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">filterPEM</span><span class="nv"> </span><span class="s">&quot;</span><span class="l l-Scalar l-Scalar-Plain">PRIVATE KEY&quot; }}&quot;</span>
 </code></pre></div>
 <h3 id="rsa-decryption-data-from-provider">RSA Decryption Data From Provider</h3>
-<p>When a provider returns RSA-encrypted values, you can decrypt them directly in the template using the <code>getSecretKey</code> and <code>rsaDecrypt</code> functions (engine v2).</p>
-<ul>
-<li><code>getSecretKey</code> reads a specific key from a Kubernetes Secret. Use it to fetch the RSA private key (PEM in plain text, without passphrase) used for decryption. (<strong>Note:</strong> It is recommended to fetch the key from a different Secret to ensure stronger security in the process).</li>
-<li><code>rsaDecrypt</code> performs decryption with the private key passed through the pipeline: <code>&lt;privateKeyPEM | rsaDecrypt "&lt;SCHEME&gt;" "&lt;HASH&gt;" &lt;ciphertext&gt; &gt;</code>. <code>SCHEME</code> and <code>HASH</code> are strings (for example, <code>"RSA-OAEP"</code> and <code>"SHA1"</code>). The third argument must be the ciphertext in binary form.</li>
-</ul>
+<p>When a provider returns RSA-encrypted values, you can decrypt them directly in the template using the <code>rsaDecrypt</code> functions (engine v2).
+<code>rsaDecrypt</code> performs decryption with the private key passed through the pipeline: <code>&lt;privateKeyPEM | rsaDecrypt "&lt;SCHEME&gt;" "&lt;HASH&gt;" &lt;ciphertext&gt; &gt;</code>. <code>SCHEME</code> and <code>HASH</code> are strings (for example, <code>"RSA-OAEP"</code> and <code>"SHA1"</code>). The third argument must be the ciphertext in binary form.</p>
 <p>Base64 handling: providers often return ciphertext as Base64. You can either:
 - decode in the template with <code>b64dec</code> (for example: <code>(.password_encrypted_base64 | b64dec)</code>), or
 - set <code>decodingStrategy: Base64</code> on the corresponding <code>spec.data.remoteRef</code> so the template receives binary data.</p>
 <p>Prerequisites
 - <code>spec.target.template.engineVersion: v2</code>.
-- A valid RSA private key in PEM format without passphrase (from another Secret via <code>getSecretKey</code>, or from the same ExternalSecret).
+- A valid RSA private key in PEM format without passphrase (from another reference in the same ExternalSecret).
 - Ciphertext must match the key pair and the chosen algorithm/hash.</p>
 <p>Full example:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
@@ -5435,17 +5432,17 @@ NtFUGA95RGN9s+pl6XY0YARPHf5O76ErC1OZtDTR5RdyQfcM+94gYZsexsXl0aQO
 <span class="w">      </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
 <span class="w">      </span><span class="nt">data</span><span class="p">:</span>
 <span class="w">        </span><span class="c1"># Decrypt a binary ciphertext using a private key stored in a Kubernetes Secret.</span>
-<span class="w">        </span><span class="c1"># getSecretKey(&quot;secret-name&quot;, &quot;namespace&quot;, &quot;key&quot;) reads the PEM private key.</span>
 <span class="w">        </span><span class="c1"># rsaDecrypt(&quot;SCHEME&quot;, &quot;HASH&quot;, ciphertext, privateKeyPEM) decrypts the ciphertext (binary).</span>
-<span class="w">        </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;{{</span><span class="nv"> </span><span class="s">getSecretKey</span><span class="nv"> </span><span class="s">&quot;my_secret_with_pk&quot;</span><span class="nv"> </span><span class="s">&quot;namespace_pk&quot;</span><span class="nv"> </span><span class="s">&quot;key_pk&quot;</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">rsaDecrypt</span><span class="nv"> </span><span class="s">&quot;RSA-OAEP&quot;</span><span class="nv"> </span><span class="s">&quot;SHA1&quot;</span><span class="nv"> </span><span class="s">.password_encrypted_binary</span><span class="nv"> </span><span class="s">}}&#39;</span>
-
-<span class="w">        </span><span class="c1"># Alternatives:</span>
-<span class="w">        </span><span class="c1"># - If provider returns Base64, decode in-template with b64dec:</span>
-<span class="w">        </span><span class="c1"># password: &#39;{{ getSecretKey &quot;my_secret_with_pk&quot; &quot;namespace_pk&quot; &quot;key_pk&quot; | rsaDecrypt &quot;RSA-OAEP&quot; &quot;SHA1&quot; (.password_encrypted_base64 | b64dec) }}&#39;</span>
-<span class="w">        </span><span class="c1"># - Or set decodingStrategy: Base64 on the spec.data.remoteRef so template receives binary.</span>
-<span class="w">        </span><span class="c1"># - Or use a private key pulled into this ExternalSecret (then use {{ .private_key }}):</span>
-<span class="w">        </span><span class="c1"># password: &#39;{{ .private_key | rsaDecrypt &quot;RSA-OAEP&quot; &quot;SHA1&quot; .password_encrypted_binary }}&#39;</span>
+<span class="w">        </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;{{</span><span class="nv"> </span><span class="s">rsaDecrypt</span><span class="nv"> </span><span class="s">&quot;RSA-OAEP&quot;</span><span class="nv"> </span><span class="s">&quot;SHA1&quot;</span><span class="nv"> </span><span class="s">.password_encrypted_binary</span><span class="nv"> </span><span class="s">.privatekey</span><span class="nv"> </span><span class="s">}}&#39;</span>
 <span class="w">  </span><span class="nt">data</span><span class="p">:</span>
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privatekey</span>
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">a-secretname-in-cluster</span>
+<span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privatekey</span>
+<span class="w">    </span><span class="nt">sourceRef</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">storeRef</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"> </span><span class="c1"># or ClusterSecretStore</span>
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes</span><span class="w"> </span><span class="c1"># name of the k8s provider</span>
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password_encrypted_binary</span>
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials/password_encrypted_binary</span>
@@ -5557,10 +5554,6 @@ created at the provider.</p>
 <td>Takes an json-serialized JWK as <code>string</code> and returns an PEM block of type <code>PRIVATE KEY</code> that contains the private key in PKCS #8 format. <a href="https://golang.org/pkg/crypto/x509/#MarshalPKCS8PrivateKey">See here</a> for details.</td>
 </tr>
 <tr>
-<td>getSecretKey</td>
-<td>Reads a specific key from a Kubernetes <code>Secret</code> and returns it as a string. Typical usage: <code>getSecretKey "secret-name" "namespace" "key"</code>.</td>
-</tr>
-<tr>
 <td>rsaDecrypt</td>
 <td>Decrypts RSA ciphertext using a PEM private key. Usage: <code>&lt;rsaDecrypt "SCHEME" "HASH" ciphertext privateKeyPEM&gt;</code> or <code>&lt;privateKeyPEM \| rsaDecrypt "SCHEME" "HASH" ciphertext&gt;</code>. <strong>SCHEME</strong>: supported values are <code>"None"</code> and <code>"RSA-OAEP"</code>. <strong>HASH</strong>: supported values are <code>"SHA1"</code> and <code>"SHA256"</code>. <strong>Ciphertext</strong> must be binary — use <code>b64dec</code> or <code>decodingStrategy: Base64</code> to convert Base64 payloads.</td>
 </tr>

main/snippets/rsadecrypt-template-v2-external-secret.yaml

@@ -10,17 +10,17 @@ spec:
       engineVersion: v2
       data:
         # Decrypt a binary ciphertext using a private key stored in a Kubernetes Secret.
-        # getSecretKey("secret-name", "namespace", "key") reads the PEM private key.
         # rsaDecrypt("SCHEME", "HASH", ciphertext, privateKeyPEM) decrypts the ciphertext (binary).
-        password: '{{ getSecretKey "my_secret_with_pk" "namespace_pk" "key_pk" | rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary }}'
-
-        # Alternatives:
-        # - If provider returns Base64, decode in-template with b64dec:
-        # password: '{{ getSecretKey "my_secret_with_pk" "namespace_pk" "key_pk" | rsaDecrypt "RSA-OAEP" "SHA1" (.password_encrypted_base64 | b64dec) }}'
-        # - Or set decodingStrategy: Base64 on the spec.data.remoteRef so template receives binary.
-        # - Or use a private key pulled into this ExternalSecret (then use {{ .private_key }}):
-        # password: '{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary }}'
+        password: '{{ rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary .privatekey }}'
   data:
+  - secretKey: privatekey
+    remoteRef:
+      key: a-secretname-in-cluster
+      property: privatekey
+    sourceRef:
+      storeRef:
+        kind: SecretStore # or ClusterSecretStore
+        name: kubernetes # name of the k8s provider
   - secretKey: password_encrypted_binary
     remoteRef:
       key: /credentials/password_encrypted_binary
@@ -31,4 +31,4 @@ spec:
   #     key: /credentials/password_encrypted_base64
   #     decodingStrategy: Base64
   # ...
-{% endraw %}
+{% endraw %}