chore: update go version of the project to 1.23 (#3829)

* chore: update go version of the project to 1.23

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fixed an absurd amount of linter issues

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

.github/workflows/ci.yml

@@ -9,8 +9,8 @@ on:
 
 env:
   # Common versions
-  GOLANGCI_VERSION: 'v1.57.2'
-  KUBERNETES_VERSION: '1.30.x'
+  GOLANGCI_VERSION: 'v1.60.1'
+  KUBERNETES_VERSION: '1.31.x'
 
   # Sonar
   SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile.standalone

@@ -1,6 +1,6 @@
 # This version of Dockerfile is for building without external dependencies.
 # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .`
-FROM golang:1.22.6-alpine@sha256:1a478681b671001b7f029f94b5016aed984a23ad99c707f6a0ab6563860ae2f3 AS builder
+FROM golang:1.23.0-alpine@sha256:d0b31558e6b3e4cc59f6011d79905835108c919143ebecc58f35965bf79948f4 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH}

Makefile

@@ -322,7 +322,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-GOLANGCI_VERSION := 1.57.2
+GOLANGCI_VERSION := 1.60.1
 KUBERNETES_VERSION := 1.30.x
 TILT_VERSION := 0.33.10
 

apis/externalsecrets/v1beta1/externalsecret_validator.go

@@ -40,35 +40,35 @@ func (esv *ExternalSecretValidator) ValidateDelete(_ context.Context, _ runtime.
 func validateExternalSecret(obj runtime.Object) (admission.Warnings, error) {
 	es, ok := obj.(*ExternalSecret)
 	if !ok {
-		return nil, fmt.Errorf("unexpected type")
+		return nil, errors.New("unexpected type")
 	}
 
 	var errs error
 	if (es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyMerge) ||
 		(es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyNone) {
-		errs = errors.Join(errs, fmt.Errorf("deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner"))
+		errs = errors.Join(errs, errors.New("deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner"))
 	}
 
 	if es.Spec.Target.DeletionPolicy == DeletionPolicyMerge && es.Spec.Target.CreationPolicy == CreatePolicyNone {
-		errs = errors.Join(errs, fmt.Errorf("deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with"))
+		errs = errors.Join(errs, errors.New("deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with"))
 	}
 
 	if len(es.Spec.Data) == 0 && len(es.Spec.DataFrom) == 0 {
-		errs = errors.Join(errs, fmt.Errorf("either data or dataFrom should be specified"))
+		errs = errors.Join(errs, errors.New("either data or dataFrom should be specified"))
 	}
 
 	for _, ref := range es.Spec.DataFrom {
 		generatorRef := ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil
 		if (ref.Find != nil && (ref.Extract != nil || generatorRef)) || (ref.Extract != nil && (ref.Find != nil || generatorRef)) || (generatorRef && (ref.Find != nil || ref.Extract != nil)) {
-			errs = errors.Join(errs, fmt.Errorf("extract, find, or generatorRef cannot be set at the same time"))
+			errs = errors.Join(errs, errors.New("extract, find, or generatorRef cannot be set at the same time"))
 		}
 
 		if ref.Find == nil && ref.Extract == nil && ref.SourceRef == nil {
-			errs = errors.Join(errs, fmt.Errorf("either extract, find, or sourceRef must be set to dataFrom"))
+			errs = errors.Join(errs, errors.New("either extract, find, or sourceRef must be set to dataFrom"))
 		}
 
 		if ref.SourceRef != nil && ref.SourceRef.GeneratorRef == nil && ref.SourceRef.SecretStoreRef == nil {
-			errs = errors.Join(errs, fmt.Errorf("generatorRef or storeRef must be set when using sourceRef in dataFrom"))
+			errs = errors.Join(errs, errors.New("generatorRef or storeRef must be set when using sourceRef in dataFrom"))
 		}
 	}
 

apis/externalsecrets/v1beta1/provider_schema.go

@@ -16,6 +16,7 @@ package v1beta1
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"sync"
 )
@@ -116,5 +117,5 @@ func getProviderName(storeSpec *SecretStoreProvider) (string, error) {
 		return k, nil
 	}
 
-	return "", fmt.Errorf("failed to find registered store backend")
+	return "", errors.New("failed to find registered store backend")
 }

apis/externalsecrets/v1beta1/secretstore_validator.go

@@ -36,7 +36,7 @@ type GenericStoreValidator struct{}
 func (r *GenericStoreValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
 	st, ok := obj.(GenericStore)
 	if !ok {
-		return nil, fmt.Errorf(errInvalidStore)
+		return nil, errors.New(errInvalidStore)
 	}
 	return validateStore(st)
 }
@@ -45,7 +45,7 @@ func (r *GenericStoreValidator) ValidateCreate(_ context.Context, obj runtime.Ob
 func (r *GenericStoreValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
 	st, ok := newObj.(GenericStore)
 	if !ok {
-		return nil, fmt.Errorf(errInvalidStore)
+		return nil, errors.New(errInvalidStore)
 	}
 	return validateStore(st)
 }

design/007-provider-versioning-strategy.md

@@ -126,7 +126,7 @@ func (g *gitlabBase) getAuth(ctx context.Context) ([]byte, error) {
 
 	credentials := credentialsSecret.Data[g.store.Auth.SecretRef.AccessToken.Key]
 	if len(credentials) == 0 {
-		return nil, fmt.Errorf(errMissingSAK)
+		return nil, errors.New(errMissingSAK)
 	}
 	return credentials, nil
 }

e2e/framework/addon/vault.go

@@ -22,14 +22,16 @@ import (
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
-	"k8s.io/apimachinery/pkg/types"
 	"math/big"
 	"net"
 	"net/http"
 	"os"
 	"time"
 
+	"k8s.io/apimachinery/pkg/types"
+
 	"github.com/golang-jwt/jwt/v4"
 	vault "github.com/hashicorp/vault/api"
 
@@ -320,7 +322,7 @@ func genVaultCertificates(namespace string) ([]byte, []byte, []byte, []byte, []b
 		"vault-" + namespace,
 		fmt.Sprintf("vault-%s.%s.svc.cluster.local", namespace, namespace)})
 	if err != nil {
-		return nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to generate vault server cert")
+		return nil, nil, nil, nil, nil, nil, errors.New("unable to generate vault server cert")
 	}
 	serverKeyPem := pem.EncodeToMemory(&pem.Block{
 		Type:  privatePemType,
@@ -333,7 +335,7 @@ func genVaultCertificates(namespace string) ([]byte, []byte, []byte, []byte, []b
 	}
 	clientPem, clientKey, err := genPeerCert(clientRootCert, clientRootKey, "vault-client", nil)
 	if err != nil {
-		return nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to generate vault server cert")
+		return nil, nil, nil, nil, nil, nil, errors.New("unable to generate vault server cert")
 	}
 	clientKeyPem := pem.EncodeToMemory(&pem.Block{
 		Type:  privatePemType,

e2e/go.mod

@@ -1,6 +1,6 @@
 module github.com/external-secrets/external-secrets-e2e
 
-go 1.22.4
+go 1.23
 
 replace (
 	github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0

go.mod

@@ -1,6 +1,6 @@
 module github.com/external-secrets/external-secrets
 
-go 1.22.4
+go 1.23
 
 replace github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0
 

pkg/common/webhook/webhook.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -66,10 +67,10 @@ func (w *Webhook) getStoreSecret(ctx context.Context, ref SecretKeySelector) (*c
 	if w.EnforceLabels {
 		expected, ok := secret.Labels["external-secrets.io/type"]
 		if !ok {
-			return nil, fmt.Errorf("secret does not contain needed label 'external-secrets.io/type: webhook'. Update secret label to use it with webhook")
+			return nil, errors.New("secret does not contain needed label 'external-secrets.io/type: webhook'. Update secret label to use it with webhook")
 		}
 		if expected != "webhook" {
-			return nil, fmt.Errorf("secret type is not 'webhook'")
+			return nil, errors.New("secret type is not 'webhook'")
 		}
 	}
 	return secret, nil
@@ -150,7 +151,7 @@ func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1beta1.ExternalSe
 
 func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if w.HTTP == nil {
-		return nil, fmt.Errorf("http client not initialized")
+		return nil, errors.New("http client not initialized")
 	}
 
 	escapedData, err := w.GetTemplateData(ctx, ref, provider.Secrets, true)
@@ -244,7 +245,7 @@ func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.Cert
 	}
 	ok := caCertPool.AppendCertsFromPEM(ca)
 	if !ok {
-		return nil, fmt.Errorf("failed to append cabundle")
+		return nil, errors.New("failed to append cabundle")
 	}
 
 	return caCertPool, nil

pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

@@ -16,6 +16,7 @@ package clusterexternalsecret
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"reflect"
 	"slices"
@@ -132,7 +133,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		}
 
 		if err == nil && !isExternalSecretOwnedBy(&existingES, clusterExternalSecret.Name) {
-			failedNamespaces[namespace.Name] = fmt.Errorf("external secret already exists in namespace")
+			failedNamespaces[namespace.Name] = errors.New("external secret already exists in namespace")
 			continue
 		}
 

pkg/controllers/crds/crds_controller.go

@@ -175,10 +175,10 @@ func (r *Reconciler) checkEndpoints() error {
 		return err
 	}
 	if len(eps.Subsets) == 0 {
-		return fmt.Errorf(errSubsetsNotReady)
+		return errors.New(errSubsetsNotReady)
 	}
 	if len(eps.Subsets[0].Addresses) == 0 {
-		return fmt.Errorf(errAddressesNotReady)
+		return errors.New(errAddressesNotReady)
 	}
 	return nil
 }
@@ -234,7 +234,7 @@ func injectService(crd *apiext.CustomResourceDefinition, svc types.NamespacedNam
 		crd.Spec.Conversion.Webhook == nil ||
 		crd.Spec.Conversion.Webhook.ClientConfig == nil ||
 		crd.Spec.Conversion.Webhook.ClientConfig.Service == nil {
-		return fmt.Errorf("unexpected crd conversion webhook config")
+		return errors.New("unexpected crd conversion webhook config")
 	}
 	crd.Spec.Conversion.Webhook.ClientConfig.Service.Namespace = svc.Namespace
 	crd.Spec.Conversion.Webhook.ClientConfig.Service.Name = svc.Name
@@ -245,7 +245,7 @@ func injectCert(crd *apiext.CustomResourceDefinition, certPem []byte) error {
 	if crd.Spec.Conversion == nil ||
 		crd.Spec.Conversion.Webhook == nil ||
 		crd.Spec.Conversion.Webhook.ClientConfig == nil {
-		return fmt.Errorf("unexpected crd conversion webhook config")
+		return errors.New("unexpected crd conversion webhook config")
 	}
 	crd.Spec.Conversion.Webhook.ClientConfig.CABundle = certPem
 	return nil

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"strconv"
@@ -1724,7 +1725,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	// a error condition must be set.
 	providerErrCondition := func(tc *testCase) {
 		const secretVal = "foobar"
-		fakeProvider.WithGetSecret(nil, fmt.Errorf("boom"))
+		fakeProvider.WithGetSecret(nil, errors.New("boom"))
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Millisecond * 100}
 		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
 			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
@@ -1787,7 +1788,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	storeConstructErrCondition := func(tc *testCase) {
 		fakeProvider.WithNew(func(context.Context, esv1beta1.GenericStore, client.Client,
 			string) (esv1beta1.SecretsClient, error) {
-			return nil, fmt.Errorf("artificial constructor error")
+			return nil, errors.New("artificial constructor error")
 		})
 		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
 			// condition must be false

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -406,7 +406,7 @@ func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (
 
 func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.PushSecretStoreRef, ns string) (v1beta1.GenericStore, error) {
 	if refStore.Name == "" {
-		return nil, fmt.Errorf("refStore Name must be provided")
+		return nil, errors.New("refStore Name must be provided")
 	}
 	ref := types.NamespacedName{
 		Name: refStore.Name,

pkg/controllers/pushsecret/pushsecret_controller_test.go

@@ -17,6 +17,7 @@ package pushsecret
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"strconv"
@@ -350,7 +351,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		fakeProvider.SecretExistsFn = func(ctx context.Context, ref v1beta1.PushSecretRemoteRef) (bool, error) {
-			return false, fmt.Errorf("don't know")
+			return false, errors.New("don't know")
 		}
 		tc.pushsecret.Spec.UpdatePolicy = v1alpha1.PushSecretUpdatePolicyIfNotExists
 		initialValue := fakeProvider.SetSecretArgs[tc.pushsecret.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
@@ -553,7 +554,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		fakeProvider.DeleteSecretFn = func() error {
-			return fmt.Errorf("Nope")
+			return errors.New("Nope")
 		}
 		tc.pushsecret = &v1alpha1.PushSecret{
 			ObjectMeta: metav1.ObjectMeta{
@@ -611,7 +612,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		fakeProvider.DeleteSecretFn = func() error {
-			return fmt.Errorf("boom")
+			return errors.New("boom")
 		}
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
 		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
@@ -995,7 +996,7 @@ var _ = Describe("PushSecret controller", func() {
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	setSecretFail := func(tc *testCase) {
 		fakeProvider.SetSecretFn = func() error {
-			return fmt.Errorf("boom")
+			return errors.New("boom")
 		}
 		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
@@ -1010,7 +1011,7 @@ var _ = Describe("PushSecret controller", func() {
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	newClientFail := func(tc *testCase) {
 		fakeProvider.NewFn = func(context.Context, v1beta1.GenericStore, client.Client, string) (v1beta1.SecretsClient, error) {
-			return nil, fmt.Errorf("boom")
+			return nil, errors.New("boom")
 		}
 		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{

pkg/controllers/secretstore/client_manager.go

@@ -16,6 +16,7 @@ package secretstore
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@@ -114,7 +115,7 @@ func (m *Manager) Get(ctx context.Context, storeRef esv1beta1.SecretStoreRef, na
 	}
 	// check if store should be handled by this controller instance
 	if !ShouldProcessStore(store, m.controllerClass) {
-		return nil, fmt.Errorf("can not reference unmanaged store")
+		return nil, errors.New("can not reference unmanaged store")
 	}
 	// when using ClusterSecretStore, validate the ClusterSecretStore namespace conditions
 	shouldProcess, err := m.shouldProcessSecret(store, namespace)

pkg/controllers/webhookconfig/webhookconfig.go

@@ -17,7 +17,7 @@ package webhookconfig
 import (
 	"context"
 	"encoding/base64"
-	"fmt"
+	"errors"
 	"net/http"
 	"strings"
 	"sync"
@@ -145,7 +145,7 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 	r.webhookReadyMu.Lock()
 	defer r.webhookReadyMu.Unlock()
 	if !r.webhookReady {
-		return fmt.Errorf(errWebhookNotReady)
+		return errors.New(errWebhookNotReady)
 	}
 	var eps v1.Endpoints
 	err := r.Get(context.TODO(), types.NamespacedName{
@@ -156,10 +156,10 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 		return err
 	}
 	if len(eps.Subsets) == 0 {
-		return fmt.Errorf(errSubsetsNotReady)
+		return errors.New(errSubsetsNotReady)
 	}
 	if len(eps.Subsets[0].Addresses) == 0 {
-		return fmt.Errorf(errAddressesNotReady)
+		return errors.New(errAddressesNotReady)
 	}
 	return nil
 }
@@ -178,7 +178,7 @@ func (r *Reconciler) updateConfig(ctx context.Context, cfg *admissionregistratio
 
 	crt, ok := secret.Data[caCertName]
 	if !ok {
-		return fmt.Errorf(errCACertNotReady)
+		return errors.New(errCACertNotReady)
 	}
 	if err := r.inject(cfg, r.SvcName, r.SvcNamespace, crt); err != nil {
 		return err

pkg/generator/acr/acr.go

@@ -102,7 +102,7 @@ func (g *Generator) generate(
 	fetchAccessToken accessTokenFetcher,
 	fetchRefreshToken refreshTokenFetcher) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {
@@ -136,7 +136,7 @@ func (g *Generator) generate(
 			namespace,
 		)
 	} else {
-		return nil, fmt.Errorf("unexpeted configuration")
+		return nil, errors.New("unexpeted configuration")
 	}
 	if err != nil {
 		return nil, err
@@ -187,7 +187,7 @@ func fetchACRAccessToken(acrRefreshToken, _, registryURL, scope string) (string,
 	}
 	accessToken, ok := payload["access_token"]
 	if !ok {
-		return "", fmt.Errorf("unable to get token")
+		return "", errors.New("unable to get token")
 	}
 	return accessToken, nil
 }
@@ -222,7 +222,7 @@ func fetchACRRefreshToken(aadAccessToken, tenantID, registryURL string) (string,
 	}
 	refreshToken, ok := payload["refresh_token"]
 	if !ok {
-		return "", fmt.Errorf("unable to get token")
+		return "", errors.New("unable to get token")
 	}
 	return refreshToken, nil
 }

pkg/generator/ecr/ecr.go

@@ -17,6 +17,7 @@ package ecr
 import (
 	"context"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
@@ -54,7 +55,7 @@ func (g *Generator) generate(
 	ecrFunc ecrFactoryFunc,
 ) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {
@@ -91,7 +92,7 @@ func (g *Generator) generate(
 	}
 	parts := strings.Split(string(decodedToken), ":")
 	if len(parts) != 2 {
-		return nil, fmt.Errorf("unexpected token format")
+		return nil, errors.New("unexpected token format")
 	}
 
 	exp := out.AuthorizationData[0].ExpiresAt.UTC().Unix()

pkg/generator/fake/fake.go

@@ -16,6 +16,7 @@ package fake
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -35,7 +36,7 @@ const (
 
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {

pkg/generator/gcr/gcr.go

@@ -16,6 +16,7 @@ package gcr
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strconv"
 
@@ -57,7 +58,7 @@ func (g *Generator) generate(
 	namespace string,
 	tokenSource tokenSourceFunc) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {

pkg/generator/github/github.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/rsa"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -70,7 +71,7 @@ func (g *Generator) generate(
 	kube client.Client,
 	namespace string) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	ctx, cancel := context.WithTimeout(ctx, contextTimeout)
 	defer cancel()
@@ -101,7 +102,7 @@ func (g *Generator) generate(
 
 	accessToken, ok := gat["token"].(string)
 	if !ok {
-		return nil, fmt.Errorf("token isn't a string or token key doesn't exist")
+		return nil, errors.New("token isn't a string or token key doesn't exist")
 	}
 	return map[string][]byte{
 		defaultLoginUsername: []byte(accessToken),

pkg/generator/password/password.go

@@ -16,6 +16,7 @@ package password
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/sethvargo/go-password/password"
@@ -57,7 +58,7 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 
 func (g *Generator) generate(jsonSpec *apiextensions.JSON, passGen generateFunc) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {

pkg/generator/password/password_test.go

@@ -15,7 +15,7 @@ limitations under the License.
 package password
 
 import (
-	"fmt"
+	"errors"
 	"reflect"
 	"testing"
 
@@ -103,7 +103,7 @@ func TestGenerate(t *testing.T) {
 				},
 				passGen: func(len int, symbols int, symbolCharacters string, digits int, noUpper bool, allowRepeat bool,
 				) (string, error) {
-					return "", fmt.Errorf("boom")
+					return "", errors.New("boom")
 				},
 			},
 			wantErr: true,

pkg/generator/vault/vault.go

@@ -17,6 +17,7 @@ package vaultdynamic
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 
 	vault "github.com/hashicorp/vault/api"
@@ -61,14 +62,14 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 
 func (g *Generator) generate(ctx context.Context, c *provider.Provider, jsonSpec *apiextensions.JSON, kube client.Client, corev1 typedcorev1.CoreV1Interface, namespace string) (map[string][]byte, error) {
 	if jsonSpec == nil {
-		return nil, fmt.Errorf(errNoSpec)
+		return nil, errors.New(errNoSpec)
 	}
 	res, err := parseSpec(jsonSpec.Raw)
 	if err != nil {
 		return nil, fmt.Errorf(errParseSpec, err)
 	}
 	if res == nil || res.Spec.Provider == nil {
-		return nil, fmt.Errorf("no Vault provider config in spec")
+		return nil, errors.New("no Vault provider config in spec")
 	}
 	cl, err := c.NewGeneratorClient(ctx, kube, corev1, res.Spec.Provider, namespace)
 	if err != nil {
@@ -96,7 +97,7 @@ func (g *Generator) generate(ctx context.Context, c *provider.Provider, jsonSpec
 		return nil, err
 	}
 	if result == nil {
-		return nil, fmt.Errorf(errGetSecret, fmt.Errorf("empty response from Vault"))
+		return nil, fmt.Errorf(errGetSecret, errors.New("empty response from Vault"))
 	}
 
 	data := make(map[string]any)

pkg/generator/vault/vault_test.go

@@ -17,7 +17,6 @@ package vaultdynamic
 import (
 	"context"
 	"errors"
-	"fmt"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -91,7 +90,7 @@ spec:
 				kube: clientfake.NewClientBuilder().Build(),
 			},
 			want: want{
-				err: fmt.Errorf("unable to setup Vault client: no role name was provided"),
+				err: errors.New("unable to setup Vault client: no role name was provided"),
 			},
 		},
 		"EmptyVaultResponse": {
@@ -124,7 +123,7 @@ spec:
 				}).Build(),
 			},
 			want: want{
-				err: fmt.Errorf("unable to get dynamic secret: empty response from Vault"),
+				err: errors.New("unable to get dynamic secret: empty response from Vault"),
 			},
 		},
 		"EmptyVaultPOST": {
@@ -159,7 +158,7 @@ spec:
 				}).Build(),
 			},
 			want: want{
-				err: fmt.Errorf("unable to get dynamic secret: empty response from Vault"),
+				err: errors.New("unable to get dynamic secret: empty response from Vault"),
 			},
 		},
 	}

pkg/provider/akeyless/akeyless.go

@@ -119,11 +119,11 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	if akeylessGWApiURL != nil && *akeylessGWApiURL != "" {
 		url, err := url.Parse(*akeylessGWApiURL)
 		if err != nil {
-			return nil, fmt.Errorf(errInvalidAkeylessURL)
+			return nil, errors.New(errInvalidAkeylessURL)
 		}
 
 		if url.Host == "" {
-			return nil, fmt.Errorf(errInvalidAkeylessURL)
+			return nil, errors.New(errInvalidAkeylessURL)
 		}
 	}
 	if akeylessSpec.Auth.KubernetesAuth != nil {
@@ -140,11 +140,11 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 		}
 
 		if akeylessSpec.Auth.KubernetesAuth.AccessID == "" {
-			return nil, fmt.Errorf("missing kubernetes auth-method access-id")
+			return nil, errors.New("missing kubernetes auth-method access-id")
 		}
 
 		if akeylessSpec.Auth.KubernetesAuth.K8sConfName == "" {
-			return nil, fmt.Errorf("missing kubernetes config name")
+			return nil, errors.New("missing kubernetes config name")
 		}
 		return nil, nil
 	}
@@ -156,11 +156,11 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 
 	if accessID.Name == "" {
-		return nil, fmt.Errorf(errInvalidAkeylessAccessIDName)
+		return nil, errors.New(errInvalidAkeylessAccessIDName)
 	}
 
 	if accessID.Key == "" {
-		return nil, fmt.Errorf(errInvalidAkeylessAccessIDKey)
+		return nil, errors.New(errInvalidAkeylessAccessIDKey)
 	}
 
 	accessType := akeylessSpec.Auth.SecretRef.AccessType
@@ -197,7 +197,7 @@ func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Cl
 	}
 
 	if spec.Auth == nil {
-		return nil, fmt.Errorf("missing Auth in store config")
+		return nil, errors.New("missing Auth in store config")
 	}
 
 	client, err := akl.getAkeylessHTTPClient(ctx, spec)
@@ -235,22 +235,22 @@ func (a *Akeyless) Validate() (esv1beta1.ValidationResult, error) {
 }
 
 func (a *Akeyless) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (a *Akeyless) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (a *Akeyless) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret with the secret name defined in ref.Name.
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(a.Client) {
-		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
+		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 
 	token, err := a.Client.TokenFromSecretRef(ctx)
@@ -295,7 +295,7 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDa
 // Retrieves a all secrets with defined in ref.Name or tags.
 func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
-		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
+		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 
 	searchPath := ""
@@ -382,7 +382,7 @@ func (a *Akeyless) findSecretsFromName(ctx context.Context, candidates []string,
 // New version of GetSecretMap.
 func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
-		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
+		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 
 	val, err := a.GetSecret(ctx, ref)
@@ -424,7 +424,7 @@ func (a *akeylessBase) getAkeylessHTTPClient(ctx context.Context, provider *esv1
 	caCertPool := x509.NewCertPool()
 	ok := caCertPool.AppendCertsFromPEM(cert)
 	if !ok {
-		return nil, fmt.Errorf("failed to append caBundle")
+		return nil, errors.New("failed to append caBundle")
 	}
 
 	tlsConf := &tls.Config{

pkg/provider/akeyless/akeyless_api.go

@@ -185,7 +185,7 @@ func (a *akeylessBase) GetRotatedSecrets(ctx context.Context, secretName, token
 	if ok {
 		val, convert := valI.(map[string]any)
 		if !convert {
-			return "", fmt.Errorf("failure converting key from gsvOut")
+			return "", errors.New("failure converting key from gsvOut")
 		}
 		if _, ok := val["payload"]; ok {
 			return fmt.Sprintf("%v", val["payload"]), nil

pkg/provider/akeyless/akeyless_test.go

@@ -16,6 +16,7 @@ package akeyless
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"reflect"
 	"strings"
@@ -85,7 +86,7 @@ func makeValidAkeylessTestCaseCustom(tweaks ...func(smtc *akeylessTestCase)) *ak
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *akeylessTestCase) {
-	smtc.apiOutput.Err = fmt.Errorf("oh no")
+	smtc.apiOutput.Err = errors.New("oh no")
 	smtc.expectError = "oh no"
 }
 
@@ -160,7 +161,7 @@ func TestValidateStore(t *testing.T) {
 
 		_, err := provider.ValidateStore(store)
 		if err != nil {
-			t.Errorf(err.Error())
+			t.Error(err.Error())
 		}
 	})
 
@@ -186,7 +187,7 @@ func TestValidateStore(t *testing.T) {
 
 		_, err := provider.ValidateStore(store)
 		if err != nil {
-			t.Errorf(err.Error())
+			t.Error(err.Error())
 		}
 	})
 

pkg/provider/akeyless/auth.go

@@ -16,6 +16,7 @@ package akeyless
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
@@ -72,10 +73,10 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 	}
 
 	if accessID == "" {
-		return "", fmt.Errorf(errMissingSAK)
+		return "", errors.New(errMissingSAK)
 	}
 	if accessType == "" {
-		return "", fmt.Errorf(errMissingAKID)
+		return "", errors.New(errMissingAKID)
 	}
 
 	return a.GetToken(accessID, accessType, accessTypeParam, prov.Auth.KubernetesAuth)

pkg/provider/akeyless/utils.go

@@ -15,6 +15,7 @@ limitations under the License.
 package akeyless
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -47,14 +48,14 @@ const (
 // GetAKeylessProvider does the necessary nil checks and returns the akeyless provider or an error.
 func GetAKeylessProvider(store esv1beta1.GenericStore) (*esv1beta1.AkeylessProvider, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errNilStore)
+		return nil, errors.New(errNilStore)
 	}
 	spc := store.GetSpec()
 	if spc == nil {
-		return nil, fmt.Errorf(errMissingStoreSpec)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 	if spc.Provider == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 	prov := spc.Provider.Akeyless
 	if prov == nil {

pkg/provider/alibaba/client.go

@@ -16,6 +16,7 @@ package alibaba
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -66,7 +67,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 	}
 
 	if utils.Deref(endpoint) == "" {
-		return nil, fmt.Errorf("error KMS endpoint is missing")
+		return nil, errors.New("error KMS endpoint is missing")
 	}
 
 	const (

pkg/provider/alibaba/kms.go

@@ -17,6 +17,7 @@ package alibaba
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
@@ -57,27 +58,27 @@ type SMInterface interface {
 }
 
 func (kms *KeyManagementService) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (kms *KeyManagementService) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 // Empty GetAllSecrets.
 func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented
-	return nil, fmt.Errorf(errNotImplemented)
+	return nil, errors.New(errNotImplemented)
 }
 
 // GetSecret returns a single secret from the provider.
 func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(kms.Client) {
-		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
+		return nil, errors.New(errUninitalizedAlibabaProvider)
 	}
 
 	request := &kmssdk.GetSecretValueRequest{
@@ -199,7 +200,7 @@ func newAuth(ctx context.Context, kube kclient.Client, store esv1beta1.GenericSt
 
 		return credentials, nil
 	default:
-		return nil, fmt.Errorf("alibaba authentication methods wasn't provided")
+		return nil, errors.New("alibaba authentication methods wasn't provided")
 	}
 }
 
@@ -273,7 +274,7 @@ func (kms *KeyManagementService) ValidateStore(store esv1beta1.GenericStore) (ad
 	regionID := alibabaSpec.RegionID
 
 	if regionID == "" {
-		return nil, fmt.Errorf("missing alibaba region")
+		return nil, errors.New("missing alibaba region")
 	}
 
 	return nil, kms.validateStoreAuth(store)
@@ -289,7 +290,7 @@ func (kms *KeyManagementService) validateStoreAuth(store esv1beta1.GenericStore)
 	case alibabaSpec.Auth.SecretRef != nil:
 		return kms.validateStoreAccessKeyAuth(store)
 	default:
-		return fmt.Errorf("missing alibaba auth provider")
+		return errors.New("missing alibaba auth provider")
 	}
 }
 
@@ -298,19 +299,19 @@ func (kms *KeyManagementService) validateStoreRRSAAuth(store esv1beta1.GenericSt
 	alibabaSpec := storeSpec.Provider.Alibaba
 
 	if alibabaSpec.Auth.RRSAAuth.OIDCProviderARN == "" {
-		return fmt.Errorf("missing alibaba OIDC proivder ARN")
+		return errors.New("missing alibaba OIDC proivder ARN")
 	}
 
 	if alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath == "" {
-		return fmt.Errorf("missing alibaba OIDC token file path")
+		return errors.New("missing alibaba OIDC token file path")
 	}
 
 	if alibabaSpec.Auth.RRSAAuth.RoleARN == "" {
-		return fmt.Errorf("missing alibaba Assume Role ARN")
+		return errors.New("missing alibaba Assume Role ARN")
 	}
 
 	if alibabaSpec.Auth.RRSAAuth.SessionName == "" {
-		return fmt.Errorf("missing alibaba session name")
+		return errors.New("missing alibaba session name")
 	}
 
 	return nil
@@ -327,11 +328,11 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1beta1.Gene
 	}
 
 	if accessKeyID.Name == "" {
-		return fmt.Errorf("missing alibaba access ID name")
+		return errors.New("missing alibaba access ID name")
 	}
 
 	if accessKeyID.Key == "" {
-		return fmt.Errorf("missing alibaba access ID key")
+		return errors.New("missing alibaba access ID key")
 	}
 
 	accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
@@ -341,11 +342,11 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1beta1.Gene
 	}
 
 	if accessKeySecret.Name == "" {
-		return fmt.Errorf("missing alibaba access key secret name")
+		return errors.New("missing alibaba access key secret name")
 	}
 
 	if accessKeySecret.Key == "" {
-		return fmt.Errorf("missing alibaba access key secret key")
+		return errors.New("missing alibaba access key secret key")
 	}
 
 	return nil

pkg/provider/alibaba/kms_test.go

@@ -16,7 +16,7 @@ package alibaba
 
 import (
 	"context"
-	"fmt"
+	"errors"
 	"reflect"
 	"strings"
 	"testing"
@@ -92,7 +92,7 @@ func makeValidKMSTestCaseCustom(tweaks ...func(kmstc *keyManagementServiceTestCa
 }
 
 var setAPIErr = func(kmstc *keyManagementServiceTestCase) {
-	kmstc.apiErr = fmt.Errorf("oh no")
+	kmstc.apiErr = errors.New("oh no")
 	kmstc.expectError = "oh no"
 }
 
@@ -203,7 +203,7 @@ func TestValidateAccessKeyStore(t *testing.T) {
 
 	_, err := kms.ValidateStore(store)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 }
 
@@ -230,7 +230,7 @@ func TestValidateRRSAStore(t *testing.T) {
 
 	_, err := kms.ValidateStore(store)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 }
 

pkg/provider/aws/parameterstore/fake/fake.go

@@ -16,7 +16,7 @@ package fake
 
 import (
 	"context"
-	"fmt"
+	"errors"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/request"
@@ -102,7 +102,7 @@ func NewPutParameterWithContextFn(output *ssm.PutParameterOutput, err error) Put
 func (sm *Client) WithValue(in *ssm.GetParameterInput, val *ssm.GetParameterOutput, err error) {
 	sm.GetParameterWithContextFn = func(ctx aws.Context, paramIn *ssm.GetParameterInput, options ...request.Option) (*ssm.GetParameterOutput, error) {
 		if !cmp.Equal(paramIn, in) {
-			return nil, fmt.Errorf("unexpected test argument")
+			return nil, errors.New("unexpected test argument")
 		}
 		return val, err
 	}

pkg/provider/aws/parameterstore/parameterstore.go

@@ -144,7 +144,7 @@ func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.
 }
 
 func (pm *ParameterStore) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
@@ -217,13 +217,13 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 		isManaged := isManagedByESO(tags)
 
 		if !isManaged {
-			return fmt.Errorf("secret not managed by external-secrets")
+			return errors.New("secret not managed by external-secrets")
 		}
 
 		// When fetching a remote SecureString parameter without decrypting, the default value will always be 'sensitive'
 		// in this case, no updates will be pushed remotely
 		if existing.Parameter.Value != nil && *existing.Parameter.Value == "sensitive" {
-			return fmt.Errorf("unable to compare 'sensitive' result, ensure to request a decrypted value")
+			return errors.New("unable to compare 'sensitive' result, ensure to request a decrypted value")
 		}
 
 		if existing.Parameter.Value != nil && *existing.Parameter.Value == string(value) {

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -17,7 +17,6 @@ package parameterstore
 import (
 	"context"
 	"errors"
-	"fmt"
 	"strings"
 	"testing"
 
@@ -403,7 +402,7 @@ func TestPushSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf("secret not managed by external-secrets"),
+				err: errors.New("secret not managed by external-secrets"),
 			},
 		},
 		"SetSecretGetTagsError": {
@@ -414,11 +413,11 @@ func TestPushSecret(t *testing.T) {
 					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
 					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
 					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(nil, fmt.Errorf("you shall not tag")),
+					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(nil, errors.New("you shall not tag")),
 				},
 			},
 			want: want{
-				err: fmt.Errorf("you shall not tag"),
+				err: errors.New("you shall not tag"),
 			},
 		},
 		"SetSecretContentMatches": {
@@ -492,7 +491,7 @@ func TestPushSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf("failed to parse metadata: failed to parse JSON raw data: invalid character 'f' looking for beginning of object key string"),
+				err: errors.New("failed to parse metadata: failed to parse JSON raw data: invalid character 'f' looking for beginning of object key string"),
 			},
 		},
 		"GetRemoteSecretWithoutDecryption": {
@@ -520,7 +519,7 @@ func TestPushSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf("unable to compare 'sensitive' result, ensure to request a decrypted value"),
+				err: errors.New("unable to compare 'sensitive' result, ensure to request a decrypted value"),
 			},
 		},
 	}
@@ -691,7 +690,7 @@ func TestGetSecret(t *testing.T) {
 	// base case: api output return error
 	setAPIError := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput = &ssm.GetParameterOutput{}
-		pstc.apiErr = fmt.Errorf("oh no")
+		pstc.apiErr = errors.New("oh no")
 		pstc.expectError = "oh no"
 	}
 
@@ -775,7 +774,7 @@ func TestGetSecretMap(t *testing.T) {
 	setAPIError := func(pstc *parameterstoreTestCase) {
 		pstc.apiOutput.Parameter = &ssm.Parameter{}
 		pstc.expectError = "some api err"
-		pstc.apiErr = fmt.Errorf("some api err")
+		pstc.apiErr = errors.New("some api err")
 	}
 	// bad case: invalid json
 	setInvalidJSON := func(pstc *parameterstoreTestCase) {

pkg/provider/aws/secretsmanager/fake/fake.go

@@ -16,6 +16,7 @@ package fake
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"time"
 
@@ -51,7 +52,7 @@ func (sm Client) CreateSecretWithContext(ctx aws.Context, input *awssm.CreateSec
 func NewCreateSecretWithContextFn(output *awssm.CreateSecretOutput, err error, expectedSecretBinary ...[]byte) CreateSecretWithContextFn {
 	return func(ctx aws.Context, actualInput *awssm.CreateSecretInput, options ...request.Option) (*awssm.CreateSecretOutput, error) {
 		if *actualInput.ClientRequestToken != "00000000-0000-0000-0000-000000000001" {
-			return nil, fmt.Errorf("expected the version to be 1 at creation")
+			return nil, errors.New("expected the version to be 1 at creation")
 		}
 		if len(expectedSecretBinary) == 1 {
 			if bytes.Equal(actualInput.SecretBinary, expectedSecretBinary[0]) {
@@ -156,7 +157,7 @@ func (sm *Client) GetSecretValue(in *awssm.GetSecretValueInput) (*awssm.GetSecre
 	if entry, found := sm.valFn[sm.cacheKeyForInput(in)]; found {
 		return entry(in)
 	}
-	return nil, fmt.Errorf("test case not found")
+	return nil, errors.New("test case not found")
 }
 
 func (sm *Client) ListSecrets(input *awssm.ListSecretsInput) (*awssm.ListSecretsOutput, error) {
@@ -177,7 +178,7 @@ func (sm *Client) cacheKeyForInput(in *awssm.GetSecretValueInput) string {
 func (sm *Client) WithValue(in *awssm.GetSecretValueInput, val *awssm.GetSecretValueOutput, err error) {
 	sm.valFn[sm.cacheKeyForInput(in)] = func(paramIn *awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error) {
 		if !cmp.Equal(paramIn, in) {
-			return nil, fmt.Errorf("unexpected test argument")
+			return nil, errors.New("unexpected test argument")
 		}
 		return val, err
 	}

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -237,7 +237,7 @@ func (sm *SecretsManager) handleSecretError(err error) (bool, error) {
 
 func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1beta1.PushSecretData) error {
 	if psd.GetSecretKey() == "" {
-		return fmt.Errorf("pushing the whole secret is not yet implemented")
+		return errors.New("pushing the whole secret is not yet implemented")
 	}
 
 	secretName := psd.GetRemoteKey()
@@ -586,7 +586,7 @@ func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretI
 		return err
 	}
 	if !isManagedByESO(data) {
-		return fmt.Errorf("secret not managed by external-secrets")
+		return errors.New("secret not managed by external-secrets")
 	}
 	if awsSecret != nil && bytes.Equal(awsSecret.SecretBinary, value) || utils.CompareStringAndByteSlices(awsSecret.SecretString, value) {
 		return nil

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -111,7 +111,7 @@ func makeValidSecretsManagerTestCaseCustom(tweaks ...func(smtc *secretsManagerTe
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *secretsManagerTestCase) {
-	smtc.apiErr = fmt.Errorf("oh no")
+	smtc.apiErr = errors.New("oh no")
 	smtc.expectError = "oh no"
 }
 
@@ -769,7 +769,7 @@ func TestSetSecret(t *testing.T) {
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
-				err: fmt.Errorf("secret not managed by external-secrets"),
+				err: errors.New("secret not managed by external-secrets"),
 			},
 		},
 	}

pkg/provider/aws/util/provider.go

@@ -16,6 +16,7 @@ package util
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 
 	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
@@ -35,14 +36,14 @@ const (
 // it returns the aws provider or an error.
 func GetAWSProvider(store esv1beta1.GenericStore) (*esv1beta1.AWSProvider, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errNilStore)
+		return nil, errors.New(errNilStore)
 	}
 	spc := store.GetSpec()
 	if spc == nil {
-		return nil, fmt.Errorf(errMissingStoreSpec)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 	if spc.Provider == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingProvider)
 	}
 	prov := spc.Provider.AWS
 	if prov == nil {

pkg/provider/azure/keyvault/keyvault.go

@@ -79,21 +79,17 @@ const (
 	errInvalidClientCredentials = "both clientSecret and clientCredentials set"
 	errMultipleClientID         = "multiple clientID found. Check secretRef and serviceAccountRef"
 	errMultipleTenantID         = "multiple tenantID found. Check secretRef, 'spec.provider.azurekv.tenantId', and serviceAccountRef"
-	errFindSecret               = "could not find secret %s/%s: %w"
-	errFindDataKey              = "no data for %q in secret '%s/%s'"
-
-	errInvalidStore                   = "invalid store"
-	errInvalidStoreSpec               = "invalid store spec"
-	errInvalidStoreProv               = "invalid store provider"
-	errInvalidAzureProv               = "invalid azure keyvault provider"
-	errInvalidSecRefClientID          = "invalid AuthSecretRef.ClientID: %w"
-	errInvalidSecRefClientSecret      = "invalid AuthSecretRef.ClientSecret: %w"
-	errInvalidSecRefClientCertificate = "invalid AuthSecretRef.ClientCertificate: %w"
-	errInvalidSARef                   = "invalid ServiceAccountRef: %w"
+
+	errInvalidStore              = "invalid store"
+	errInvalidStoreSpec          = "invalid store spec"
+	errInvalidStoreProv          = "invalid store provider"
+	errInvalidAzureProv          = "invalid azure keyvault provider"
+	errInvalidSecRefClientID     = "invalid AuthSecretRef.ClientID: %w"
+	errInvalidSecRefClientSecret = "invalid AuthSecretRef.ClientSecret: %w"
+	errInvalidSARef              = "invalid ServiceAccountRef: %w"
 
 	errMissingWorkloadEnvVars = "missing environment variables. AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE must be set"
 	errReadTokenFile          = "unable to read token file %s: %w"
-	errMissingSAAnnotation    = "missing service account annotation: %s"
 )
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -177,7 +173,7 @@ func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Cl
 	case esv1beta1.AzureWorkloadIdentity:
 		authorizer, err = az.authorizerForWorkloadIdentity(ctx, NewTokenProvider)
 	default:
-		err = fmt.Errorf(errMissingAuthType)
+		err = errors.New(errMissingAuthType)
 	}
 
 	cl := keyvault.New()
@@ -198,18 +194,18 @@ func getProvider(store esv1beta1.GenericStore) (*esv1beta1.AzureKVProvider, erro
 
 func (a *Azure) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errInvalidStore)
+		return nil, errors.New(errInvalidStore)
 	}
 	spc := store.GetSpec()
 	if spc == nil {
-		return nil, fmt.Errorf(errInvalidStoreSpec)
+		return nil, errors.New(errInvalidStoreSpec)
 	}
 	if spc.Provider == nil {
-		return nil, fmt.Errorf(errInvalidStoreProv)
+		return nil, errors.New(errInvalidStoreProv)
 	}
 	p := spc.Provider.AzureKV
 	if p == nil {
-		return nil, fmt.Errorf(errInvalidAzureProv)
+		return nil, errors.New(errInvalidAzureProv)
 	}
 	if p.AuthSecretRef != nil {
 		if p.AuthSecretRef.ClientID != nil {
@@ -245,7 +241,7 @@ func canDelete(tags map[string]*string, err error) (bool, error) {
 	}
 	manager, ok := tags["managed-by"]
 	if !ok || manager == nil || *manager != managerLabel {
-		return false, fmt.Errorf("not managed by external-secrets")
+		return false, errors.New("not managed by external-secrets")
 	}
 	return true, nil
 }
@@ -374,7 +370,7 @@ func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
 			return cert, nil
 		}
 	}
-	return nil, fmt.Errorf("could not parse certificate value as PKCS#12, DER or PEM")
+	return nil, errors.New("could not parse certificate value as PKCS#12, DER or PEM")
 }
 
 func getKeyFromValue(value []byte) (any, error) {
@@ -409,7 +405,7 @@ func canCreate(tags map[string]*string, err error) (bool, error) {
 	if err == nil {
 		manager, ok := tags["managed-by"]
 		if !ok || manager == nil || *manager != managerLabel {
-			return false, fmt.Errorf("not managed by external-secrets")
+			return false, errors.New("not managed by external-secrets")
 		}
 	}
 	return true, nil
@@ -770,9 +766,9 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDa
 		return getSecretMapMap(data)
 
 	case objectTypeCert:
-		return nil, fmt.Errorf(errDataFromCert)
+		return nil, errors.New(errDataFromCert)
 	case objectTypeKey:
-		return nil, fmt.Errorf(errDataFromKey)
+		return nil, errors.New(errDataFromKey)
 	}
 	return nil, fmt.Errorf(errUnknownObjectType, secretName)
 }
@@ -855,7 +851,7 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 	// First check if AuthSecretRef is set and clientID can be fetched from there
 	if a.provider.AuthSecretRef != nil {
 		if a.provider.AuthSecretRef.ClientID == nil {
-			return nil, fmt.Errorf(errMissingClientIDSecret)
+			return nil, errors.New(errMissingClientIDSecret)
 		}
 		clientID, err = resolvers.SecretKeyRef(
 			ctx,
@@ -872,7 +868,7 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 		if val, found := sa.ObjectMeta.Annotations[AnnotationClientID]; found {
 			// If clientID is defined in both Annotations and AuthSecretRef, return an error
 			if clientID != "" {
-				return nil, fmt.Errorf(errMultipleClientID)
+				return nil, errors.New(errMultipleClientID)
 			}
 			clientID = val
 		}
@@ -907,7 +903,7 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 		if val, found := sa.ObjectMeta.Annotations[AnnotationTenantID]; found {
 			// If tenantID is defined in both Annotations and AuthSecretRef, return an error
 			if tenantID != "" {
-				return nil, fmt.Errorf(errMultipleTenantID)
+				return nil, errors.New(errMultipleTenantID)
 			}
 			tenantID = val
 		}
@@ -995,16 +991,16 @@ func (a *Azure) authorizerForManagedIdentity() (autorest.Authorizer, error) {
 
 func (a *Azure) authorizerForServicePrincipal(ctx context.Context) (autorest.Authorizer, error) {
 	if a.provider.TenantID == nil {
-		return nil, fmt.Errorf(errMissingTenant)
+		return nil, errors.New(errMissingTenant)
 	}
 	if a.provider.AuthSecretRef == nil {
-		return nil, fmt.Errorf(errMissingSecretRef)
+		return nil, errors.New(errMissingSecretRef)
 	}
 	if a.provider.AuthSecretRef.ClientID == nil || (a.provider.AuthSecretRef.ClientSecret == nil && a.provider.AuthSecretRef.ClientCertificate == nil) {
-		return nil, fmt.Errorf(errMissingClientIDSecret)
+		return nil, errors.New(errMissingClientIDSecret)
 	}
 	if a.provider.AuthSecretRef.ClientSecret != nil && a.provider.AuthSecretRef.ClientCertificate != nil {
-		return nil, fmt.Errorf(errInvalidClientCredentials)
+		return nil, errors.New(errInvalidClientCredentials)
 	}
 
 	return a.getAuthorizerFromCredentials(ctx)

pkg/provider/azure/keyvault/keyvault_test.go

@@ -200,7 +200,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 			RemoteKey: secretName,
 		}
 		smtc.expectError = "boom"
-		smtc.apiErr = fmt.Errorf("boom")
+		smtc.apiErr = errors.New("boom")
 	}
 
 	secretNoDeletePermissions := func(smtc *secretManagerTestCase) {
@@ -258,7 +258,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 			RemoteKey: certName,
 		}
 		smtc.expectError = "crash"
-		smtc.apiErr = fmt.Errorf("crash")
+		smtc.apiErr = errors.New("crash")
 	}
 
 	certNoDeletePermissions := func(smtc *secretManagerTestCase) {
@@ -315,7 +315,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 			RemoteKey: keyName,
 		}
 		smtc.expectError = "tls timeout"
-		smtc.apiErr = fmt.Errorf("tls timeout")
+		smtc.apiErr = errors.New("tls timeout")
 	}
 
 	keyNoDeletePermissions := func(smtc *secretManagerTestCase) {
@@ -483,7 +483,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			SecretKey: secretKey,
 			RemoteKey: secretName,
 		}
-		smtc.apiErr = fmt.Errorf("crash")
+		smtc.apiErr = errors.New("crash")
 		smtc.expectError = "crash"
 	}
 	failedSetSecret := func(smtc *secretManagerTestCase) {

pkg/provider/beyondtrust/provider.go

@@ -77,17 +77,17 @@ func (*Provider) Close(_ context.Context) error {
 
 // DeleteSecret implements v1beta1.SecretsClient.
 func (*Provider) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 // GetSecretMap implements v1beta1.SecretsClient.
 func (*Provider) GetSecretMap(_ context.Context, _ esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	return make(map[string][]byte), fmt.Errorf(errNotImplemented)
+	return make(map[string][]byte), errors.New(errNotImplemented)
 }
 
 // PushSecret implements v1beta1.SecretsClient.
 func (*Provider) PushSecret(_ context.Context, _ *v1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 // Validate implements v1beta1.SecretsClient.
@@ -104,7 +104,7 @@ func (p *Provider) Validate() (esv1beta1.ValidationResult, error) {
 }
 
 func (*Provider) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 // NewClient this is where we initialize the SecretClient and return it for the controller to use.
@@ -244,7 +244,7 @@ func validateSecretRef(ref *esv1beta1.BeyondTrustProviderSecretRef) error {
 }
 
 func (p *Provider) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
-	return nil, fmt.Errorf("GetAllSecrets not implemented")
+	return nil, errors.New("GetAllSecrets not implemented")
 }
 
 // GetSecret reads the secret from the Password Safe server and returns it. The controller uses the value here to
@@ -255,7 +255,7 @@ func (p *Provider) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretData
 	retrievalPaths := utils.ValidatePaths([]string{ref.Key}, managedAccountType, p.separator, &p.log)
 
 	if len(retrievalPaths) != 1 {
-		return nil, fmt.Errorf(errInvalidRetrievalPath)
+		return nil, errors.New(errInvalidRetrievalPath)
 	}
 
 	retrievalPath := retrievalPaths[0]
@@ -292,17 +292,17 @@ func (p *Provider) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretData
 // ValidateStore validates the store configuration to prevent unexpected errors.
 func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errNilStore)
+		return nil, errors.New(errNilStore)
 	}
 
 	spec := store.GetSpec()
 
 	if spec == nil {
-		return nil, fmt.Errorf(errMissingStoreSpec)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 
 	if spec.Provider == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingProvider)
 	}
 
 	provider := spec.Provider.Beyondtrust
@@ -312,7 +312,7 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 
 	apiURL, err := url.Parse(provider.Server.APIURL)
 	if err != nil {
-		return nil, fmt.Errorf(errInvalidHostURL)
+		return nil, errors.New(errInvalidHostURL)
 	}
 
 	if provider.Auth.ClientID.SecretRef != nil {
@@ -324,7 +324,7 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 
 	if apiURL.Host == "" {
-		return nil, fmt.Errorf(errInvalidHostURL)
+		return nil, errors.New(errInvalidHostURL)
 	}
 
 	return nil, nil

pkg/provider/bitwarden/client.go

@@ -43,15 +43,15 @@ const (
 func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
 	spec := p.store.GetSpec()
 	if spec == nil || spec.Provider == nil {
-		return fmt.Errorf("store does not have a provider")
+		return errors.New("store does not have a provider")
 	}
 
 	if data.GetSecretKey() == "" {
-		return fmt.Errorf("pushing the whole secret is not yet implemented")
+		return errors.New("pushing the whole secret is not yet implemented")
 	}
 
 	if data.GetRemoteKey() == "" {
-		return fmt.Errorf("remote key must be defined")
+		return errors.New("remote key must be defined")
 	}
 
 	value, ok := secret.Data[data.GetSecretKey()]
@@ -132,7 +132,7 @@ func (p *Provider) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDa
 
 	spec := p.store.GetSpec()
 	if spec == nil || spec.Provider == nil {
-		return nil, fmt.Errorf("store does not have a provider")
+		return nil, errors.New("store does not have a provider")
 	}
 
 	secret, err := p.findSecretByRef(ctx, ref.Key, spec.Provider.BitwardenSecretsManager.ProjectID)
@@ -151,7 +151,7 @@ func (p *Provider) DeleteSecret(ctx context.Context, ref esv1beta1.PushSecretRem
 
 	spec := p.store.GetSpec()
 	if spec == nil || spec.Provider == nil {
-		return fmt.Errorf("store does not have a provider")
+		return errors.New("store does not have a provider")
 	}
 
 	secret, err := p.findSecretByRef(ctx, ref.GetRemoteKey(), spec.Provider.BitwardenSecretsManager.ProjectID)
@@ -193,7 +193,7 @@ func (p *Provider) SecretExists(ctx context.Context, ref esv1beta1.PushSecretRem
 
 	spec := p.store.GetSpec()
 	if spec == nil || spec.Provider == nil {
-		return false, fmt.Errorf("store does not have a provider")
+		return false, errors.New("store does not have a provider")
 	}
 
 	if _, err := p.findSecretByRef(ctx, ref.GetRemoteKey(), spec.Provider.BitwardenSecretsManager.ProjectID); err != nil {
@@ -205,7 +205,7 @@ func (p *Provider) SecretExists(ctx context.Context, ref esv1beta1.PushSecretRem
 
 // GetSecretMap returns multiple k/v pairs from the provider.
 func (p *Provider) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	return nil, fmt.Errorf("GetSecretMap() not implemented")
+	return nil, errors.New("GetSecretMap() not implemented")
 }
 
 // GetAllSecrets gets multiple secrets from the provider and loads into a kubernetes secret.
@@ -214,7 +214,7 @@ func (p *Provider) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecre
 func (p *Provider) GetAllSecrets(ctx context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	spec := p.store.GetSpec()
 	if spec == nil {
-		return nil, fmt.Errorf("store does not have a provider")
+		return nil, errors.New("store does not have a provider")
 	}
 
 	secrets, err := p.bitwardenSdkClient.ListSecrets(ctx, spec.Provider.BitwardenSecretsManager.OrganizationID)
@@ -248,7 +248,7 @@ func (p *Provider) Close(_ context.Context) error {
 func (p *Provider) findSecretByRef(ctx context.Context, key, projectID string) (*SecretResponse, error) {
 	spec := p.store.GetSpec()
 	if spec == nil || spec.Provider == nil {
-		return nil, fmt.Errorf("store does not have a provider")
+		return nil, errors.New("store does not have a provider")
 	}
 
 	// ListAll Secrets for an organization. If the key matches our key, we GetSecret that and do a compare.

pkg/provider/bitwarden/provider.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -45,7 +46,7 @@ func init() {
 func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.BitwardenSecretsManager == nil {
-		return nil, fmt.Errorf("no store type or wrong store type")
+		return nil, errors.New("no store type or wrong store type")
 	}
 
 	token, err := resolvers.SecretKeyRef(
@@ -87,16 +88,16 @@ func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
 func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil {
-		return admission.Warnings{}, fmt.Errorf("no store type or wrong store type")
+		return admission.Warnings{}, errors.New("no store type or wrong store type")
 	}
 
 	if storeSpec.Provider == nil {
-		return admission.Warnings{}, fmt.Errorf("provider not configured")
+		return admission.Warnings{}, errors.New("provider not configured")
 	}
 
 	bitwardenSpec := storeSpec.Provider.BitwardenSecretsManager
 	if bitwardenSpec == nil {
-		return admission.Warnings{}, fmt.Errorf("bitwarden spec not configured")
+		return admission.Warnings{}, errors.New("bitwarden spec not configured")
 	}
 
 	if bitwardenSpec.CAProvider == nil && bitwardenSpec.CABundle == "" {
@@ -124,7 +125,7 @@ func newHTTPSClient(ctx context.Context, c client.Client, storeKind, namespace s
 	pool := x509.NewCertPool()
 	ok := pool.AppendCertsFromPEM(cert)
 	if !ok {
-		return nil, fmt.Errorf("failed to append caBundle")
+		return nil, errors.New("failed to append caBundle")
 	}
 
 	tr := &http.Transport{

pkg/provider/chef/chef.go

@@ -11,11 +11,13 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package chef
 
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -108,7 +110,7 @@ func (providerchef *Providerchef) NewClient(ctx context.Context, store v1beta1.G
 
 	if store.GetObjectKind().GroupVersionKind().Kind == v1beta1.ClusterSecretStoreKind {
 		if chefProvider.Auth.SecretRef.SecretKey.Namespace == nil {
-			return nil, fmt.Errorf(errInvalidClusterStoreMissingPKNamespace)
+			return nil, errors.New(errInvalidClusterStoreMissingPKNamespace)
 		}
 		objectKey.Namespace = *chefProvider.Auth.SecretRef.SecretKey.Namespace
 	}
@@ -119,7 +121,7 @@ func (providerchef *Providerchef) NewClient(ctx context.Context, store v1beta1.G
 
 	secretKey := credentialsSecret.Data[chefProvider.Auth.SecretRef.SecretKey.Key]
 	if len(secretKey) == 0 {
-		return nil, fmt.Errorf(errMissingSecretKey)
+		return nil, errors.New(errMissingSecretKey)
 	}
 
 	client, err := chef.NewClient(&chef.Config{
@@ -149,20 +151,20 @@ func (providerchef *Providerchef) Validate() (v1beta1.ValidationResult, error) {
 	_, err := providerchef.userService.Get(providerchef.clientName)
 	metrics.ObserveAPICall(ProviderChef, CallChefGetUser, err)
 	if err != nil {
-		return v1beta1.ValidationResultError, fmt.Errorf(errStoreValidateFailed)
+		return v1beta1.ValidationResultError, errors.New(errStoreValidateFailed)
 	}
 	return v1beta1.ValidationResultReady, nil
 }
 
 // GetAllSecrets Retrieves a map[string][]byte with the Databag names as key and the Databag's Items as secrets.
 func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ v1beta1.ExternalSecretFind) (map[string][]byte, error) {
-	return nil, fmt.Errorf("dataFrom.find not suppported")
+	return nil, errors.New("dataFrom.find not suppported")
 }
 
 // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
 func (providerchef *Providerchef) GetSecret(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(providerchef.databagService) {
-		return nil, fmt.Errorf(errUninitalizedChefProvider)
+		return nil, errors.New(errUninitalizedChefProvider)
 	}
 
 	key := ref.Key
@@ -178,7 +180,7 @@ func (providerchef *Providerchef) GetSecret(ctx context.Context, ref v1beta1.Ext
 		return getSingleDatabagItemWithContext(ctx, providerchef, databagName, databagItem, ref.Property)
 	}
 
-	return nil, fmt.Errorf(errInvalidFormat)
+	return nil, errors.New(errInvalidFormat)
 }
 
 func getSingleDatabagItemWithContext(ctx context.Context, providerchef *Providerchef, dataBagName, databagItemName, propertyName string) ([]byte, error) {
@@ -200,7 +202,7 @@ func getSingleDatabagItemWithContext(ctx context.Context, providerchef *Provider
 			}
 			jsonByte, err := json.Marshal(ditem)
 			if err != nil {
-				resultChan <- result{err: fmt.Errorf(errUnableToConvertToJSON)}
+				resultChan <- result{err: errors.New(errUnableToConvertToJSON)}
 				return
 			}
 			if propertyName != "" {
@@ -250,12 +252,12 @@ func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, e
 // databagItemName or Property not expected in key.
 func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref v1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(providerchef.databagService) {
-		return nil, fmt.Errorf(errUninitalizedChefProvider)
+		return nil, errors.New(errUninitalizedChefProvider)
 	}
 	databagName := ref.Key
 
 	if strings.Contains(databagName, "/") {
-		return nil, fmt.Errorf(errInvalidDataform)
+		return nil, errors.New(errInvalidDataform)
 	}
 	getAllSecrets := make(map[string][]byte)
 	providerchef.log.Info("fetching all items from", "databag:", databagName)
@@ -291,38 +293,38 @@ func (providerchef *Providerchef) ValidateStore(store v1beta1.GenericStore) (adm
 // getChefProvider validates the incoming store and return the chef provider.
 func getChefProvider(store v1beta1.GenericStore) (*v1beta1.ChefProvider, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errMissingStore)
+		return nil, errors.New(errMissingStore)
 	}
 	storeSpec := store.GetSpec()
 	if storeSpec == nil {
-		return nil, fmt.Errorf(errMissingStoreSpec)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 	provider := storeSpec.Provider
 	if provider == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingProvider)
 	}
 	chefProvider := storeSpec.Provider.Chef
 	if chefProvider == nil {
-		return nil, fmt.Errorf(errMissingChefProvider)
+		return nil, errors.New(errMissingChefProvider)
 	}
 	if chefProvider.UserName == "" {
-		return chefProvider, fmt.Errorf(errMissingUserName)
+		return chefProvider, errors.New(errMissingUserName)
 	}
 	if chefProvider.ServerURL == "" {
-		return chefProvider, fmt.Errorf(errMissingServerURL)
+		return chefProvider, errors.New(errMissingServerURL)
 	}
 	if !strings.HasSuffix(chefProvider.ServerURL, "/") {
-		return chefProvider, fmt.Errorf(errServerURLNoEndSlash)
+		return chefProvider, errors.New(errServerURLNoEndSlash)
 	}
 	// check valid URL
 	if _, err := url.ParseRequestURI(chefProvider.ServerURL); err != nil {
 		return chefProvider, fmt.Errorf(errInvalidURL, err)
 	}
 	if chefProvider.Auth == nil {
-		return chefProvider, fmt.Errorf(errMissingAuth)
+		return chefProvider, errors.New(errMissingAuth)
 	}
 	if chefProvider.Auth.SecretRef.SecretKey.Key == "" {
-		return chefProvider, fmt.Errorf(errMissingSecretKey)
+		return chefProvider, errors.New(errMissingSecretKey)
 	}
 
 	return chefProvider, nil
@@ -330,16 +332,16 @@ func getChefProvider(store v1beta1.GenericStore) (*v1beta1.ChefProvider, error)
 
 // Not Implemented DeleteSecret.
 func (providerchef *Providerchef) DeleteSecret(_ context.Context, _ v1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 // Not Implemented PushSecret.
 func (providerchef *Providerchef) PushSecret(_ context.Context, _ *corev1.Secret, _ v1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (providerchef *Providerchef) SecretExists(_ context.Context, _ v1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).

pkg/provider/chef/chef_test.go

@@ -278,31 +278,31 @@ func TestValidateStore(t *testing.T) {
 	testCases := []ValidateStoreTestCase{
 		{
 			store: makeSecretStore("", baseURL, makeAuth(authName, authNamespace, authKey)),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: missing username"),
+			err:   errors.New("received invalid Chef SecretStore resource: missing username"),
 		},
 		{
 			store: makeSecretStore(name, "", makeAuth(authName, authNamespace, authKey)),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: missing serverurl"),
+			err:   errors.New("received invalid Chef SecretStore resource: missing serverurl"),
 		},
 		{
 			store: makeSecretStore(name, baseURL, nil),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: cannot initialize Chef Client: no valid authType was specified"),
+			err:   errors.New("received invalid Chef SecretStore resource: cannot initialize Chef Client: no valid authType was specified"),
 		},
 		{
 			store: makeSecretStore(name, baseInvalidURL, makeAuth(authName, authNamespace, authKey)),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: invalid serverurl: parse \"invalid base URL/\": invalid URI for request"),
+			err:   errors.New("received invalid Chef SecretStore resource: invalid serverurl: parse \"invalid base URL/\": invalid URI for request"),
 		},
 		{
 			store: makeSecretStore(name, noEndSlashInvalidBaseURL, makeAuth(authName, authNamespace, authKey)),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: serverurl does not end with slash(/)"),
+			err:   errors.New("received invalid Chef SecretStore resource: serverurl does not end with slash(/)"),
 		},
 		{
 			store: makeSecretStore(name, baseURL, makeAuth(authName, authNamespace, "")),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: missing Secret Key"),
+			err:   errors.New("received invalid Chef SecretStore resource: missing Secret Key"),
 		},
 		{
 			store: makeSecretStore(name, baseURL, makeAuth(authName, authNamespace, authKey)),
-			err:   fmt.Errorf("received invalid Chef SecretStore resource: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("received invalid Chef SecretStore resource: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			store: &esv1beta1.SecretStore{
@@ -310,7 +310,7 @@ func TestValidateStore(t *testing.T) {
 					Provider: nil,
 				},
 			},
-			err: fmt.Errorf("received invalid Chef SecretStore resource: missing provider"),
+			err: errors.New("received invalid Chef SecretStore resource: missing provider"),
 		},
 		{
 			store: &esv1beta1.SecretStore{
@@ -320,7 +320,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			err: fmt.Errorf("received invalid Chef SecretStore resource: missing chef provider"),
+			err: errors.New("received invalid Chef SecretStore resource: missing chef provider"),
 		},
 	}
 	pc := Providerchef{}

pkg/provider/conjur/auth_jwt.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -59,7 +60,7 @@ func (c *Client) getJWTToken(ctx context.Context, conjurJWTConfig *esv1beta1.Con
 		}
 		return jwtToken, nil
 	}
-	return "", fmt.Errorf("missing ServiceAccountRef or SecretRef")
+	return "", errors.New("missing ServiceAccountRef or SecretRef")
 }
 
 // getJwtFromServiceAccountTokenRequest uses the TokenRequest API to get a JWT token for the given service account.
@@ -108,7 +109,7 @@ func newHTTPSClient(cert []byte) (*http.Client, error) {
 	pool := x509.NewCertPool()
 	ok := pool.AppendCertsFromPEM(cert)
 	if !ok {
-		return nil, fmt.Errorf("can't append Conjur SSL cert")
+		return nil, errors.New("can't append Conjur SSL cert")
 	}
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{RootCAs: pool, MinVersion: tls.VersionTLS12},

pkg/provider/conjur/client.go

@@ -16,6 +16,7 @@ package conjur
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/cyberark/conjur-api-go/conjurapi"
@@ -121,7 +122,7 @@ func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
 		return conjur, nil
 	} else {
 		// Should not happen because validate func should catch this
-		return nil, fmt.Errorf("no authentication method provided")
+		return nil, errors.New("no authentication method provided")
 	}
 }
 
@@ -137,7 +138,7 @@ func (c *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef
 }
 
 func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 // Validate validates the provider.

pkg/provider/conjur/provider_test.go

@@ -271,7 +271,7 @@ func TestGetAllSecrets(t *testing.T) {
 				search:    "^secret[1,2", // Missing `]`
 			},
 			want: want{
-				err:    fmt.Errorf("could not compile find.name.regexp [%s]: %w", "^secret[1,2", fmt.Errorf("error parsing regexp: missing closing ]: `[1,2`")),
+				err:    fmt.Errorf("could not compile find.name.regexp [%s]: %w", "^secret[1,2", errors.New("error parsing regexp: missing closing ]: `[1,2`")),
 				values: nil,
 			},
 		},
@@ -415,7 +415,7 @@ func TestGetSecretMap(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf("%w", fmt.Errorf("error getting secret json_map: cannot find secret data for key: \"key3\"")),
+				err: fmt.Errorf("%w", errors.New("error getting secret json_map: cannot find secret data for key: \"key3\"")),
 				val: nil,
 			},
 		},

pkg/provider/conjur/util/provider.go

@@ -15,6 +15,7 @@ limitations under the License.
 package util
 
 import (
+	"errors"
 	"fmt"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -31,18 +32,18 @@ const (
 // it returns the conjur provider or an error.
 func GetConjurProvider(store esv1beta1.GenericStore) (*esv1beta1.ConjurProvider, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errNilStore)
+		return nil, errors.New(errNilStore)
 	}
 	spec := store.GetSpec()
 	if spec == nil {
-		return nil, fmt.Errorf(errMissingStoreSpec)
+		return nil, errors.New(errMissingStoreSpec)
 	}
 	if spec.Provider == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingProvider)
 	}
 
 	if spec.Provider.Conjur == nil {
-		return nil, fmt.Errorf(errMissingProvider)
+		return nil, errors.New(errMissingProvider)
 	}
 
 	prov := spec.Provider.Conjur

pkg/provider/conjur/validate.go

@@ -16,6 +16,7 @@ limitations under the License.
 package conjur
 
 import (
+	"errors"
 	"fmt"
 
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -33,7 +34,7 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 
 	if prov.URL == "" {
-		return nil, fmt.Errorf("conjur URL cannot be empty")
+		return nil, errors.New("conjur URL cannot be empty")
 	}
 	if prov.Auth.APIKey != nil {
 		err := validateAPIKeyStore(store, *prov.Auth.APIKey)
@@ -51,7 +52,7 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 
 	// At least one auth must be configured
 	if prov.Auth.APIKey == nil && prov.Auth.Jwt == nil {
-		return nil, fmt.Errorf("missing Auth.* configuration")
+		return nil, errors.New("missing Auth.* configuration")
 	}
 
 	return nil, nil
@@ -59,13 +60,13 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 
 func validateAPIKeyStore(store esv1beta1.GenericStore, auth esv1beta1.ConjurAPIKey) error {
 	if auth.Account == "" {
-		return fmt.Errorf("missing Auth.ApiKey.Account")
+		return errors.New("missing Auth.ApiKey.Account")
 	}
 	if auth.UserRef == nil {
-		return fmt.Errorf("missing Auth.Apikey.UserRef")
+		return errors.New("missing Auth.Apikey.UserRef")
 	}
 	if auth.APIKeyRef == nil {
-		return fmt.Errorf("missing Auth.Apikey.ApiKeyRef")
+		return errors.New("missing Auth.Apikey.ApiKeyRef")
 	}
 	if err := utils.ValidateReferentSecretSelector(store, *auth.UserRef); err != nil {
 		return fmt.Errorf("invalid Auth.Apikey.UserRef: %w", err)
@@ -78,13 +79,13 @@ func validateAPIKeyStore(store esv1beta1.GenericStore, auth esv1beta1.ConjurAPIK
 
 func validateJWTStore(store esv1beta1.GenericStore, auth esv1beta1.ConjurJWT) error {
 	if auth.Account == "" {
-		return fmt.Errorf("missing Auth.Jwt.Account")
+		return errors.New("missing Auth.Jwt.Account")
 	}
 	if auth.ServiceID == "" {
-		return fmt.Errorf("missing Auth.Jwt.ServiceID")
+		return errors.New("missing Auth.Jwt.ServiceID")
 	}
 	if auth.ServiceAccountRef == nil && auth.SecretRef == nil {
-		return fmt.Errorf("must specify Auth.Jwt.SecretRef or Auth.Jwt.ServiceAccountRef")
+		return errors.New("must specify Auth.Jwt.SecretRef or Auth.Jwt.ServiceAccountRef")
 	}
 	if auth.SecretRef != nil {
 		if err := utils.ValidateReferentSecretSelector(store, *auth.SecretRef); err != nil {

pkg/provider/conjur/validate_test.go

@@ -15,7 +15,7 @@ limitations under the License.
 package conjur
 
 import (
-	"fmt"
+	"errors"
 	"testing"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -34,19 +34,19 @@ func TestValidateStore(t *testing.T) {
 		},
 		{
 			store: makeAPIKeySecretStore("", svcUser, svcApikey, svcAccount),
-			err:   fmt.Errorf("conjur URL cannot be empty"),
+			err:   errors.New("conjur URL cannot be empty"),
 		},
 		{
 			store: makeAPIKeySecretStore(svcURL, "", svcApikey, svcAccount),
-			err:   fmt.Errorf("missing Auth.Apikey.UserRef"),
+			err:   errors.New("missing Auth.Apikey.UserRef"),
 		},
 		{
 			store: makeAPIKeySecretStore(svcURL, svcUser, "", svcAccount),
-			err:   fmt.Errorf("missing Auth.Apikey.ApiKeyRef"),
+			err:   errors.New("missing Auth.Apikey.ApiKeyRef"),
 		},
 		{
 			store: makeAPIKeySecretStore(svcURL, svcUser, svcApikey, ""),
-			err:   fmt.Errorf("missing Auth.ApiKey.Account"),
+			err:   errors.New("missing Auth.ApiKey.Account"),
 		},
 
 		{
@@ -59,24 +59,24 @@ func TestValidateStore(t *testing.T) {
 		},
 		{
 			store: makeJWTSecretStore(svcURL, "conjur", "", jwtAuthnService, "", ""),
-			err:   fmt.Errorf("missing Auth.Jwt.Account"),
+			err:   errors.New("missing Auth.Jwt.Account"),
 		},
 		{
 			store: makeJWTSecretStore(svcURL, "conjur", "", "", "", "myconjuraccount"),
-			err:   fmt.Errorf("missing Auth.Jwt.ServiceID"),
+			err:   errors.New("missing Auth.Jwt.ServiceID"),
 		},
 		{
 			store: makeJWTSecretStore("", "conjur", "", jwtAuthnService, "", "myconjuraccount"),
-			err:   fmt.Errorf("conjur URL cannot be empty"),
+			err:   errors.New("conjur URL cannot be empty"),
 		},
 		{
 			store: makeJWTSecretStore(svcURL, "", "", jwtAuthnService, "", "myconjuraccount"),
-			err:   fmt.Errorf("must specify Auth.Jwt.SecretRef or Auth.Jwt.ServiceAccountRef"),
+			err:   errors.New("must specify Auth.Jwt.SecretRef or Auth.Jwt.ServiceAccountRef"),
 		},
 
 		{
 			store: makeNoAuthSecretStore(svcURL),
-			err:   fmt.Errorf("missing Auth.* configuration"),
+			err:   errors.New("missing Auth.* configuration"),
 		},
 	}
 	p := Provider{}

pkg/provider/device42/device42.go

@@ -16,6 +16,7 @@ package device42
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -67,7 +68,7 @@ func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.SecretRef.Credentials.Name
 	if credentialsSecretName == "" {
-		return "", "", fmt.Errorf(errCredSecretName)
+		return "", "", errors.New(errCredSecretName)
 	}
 	objectKey := types.NamespacedName{
 		Name:      credentialsSecretName,
@@ -76,7 +77,7 @@ func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
 	// only ClusterStore is allowed to set namespace (and then it's required)
 	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.Credentials.Namespace == nil {
-			return "", "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
+			return "", "", errors.New(errInvalidClusterStoreMissingSAKNamespace)
 		}
 		objectKey.Namespace = *c.store.Auth.SecretRef.Credentials.Namespace
 	}
@@ -89,7 +90,7 @@ func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
 	username := credentialsSecret.Data["username"]
 	password := credentialsSecret.Data["password"]
 	if len(username) == 0 || len(password) == 0 {
-		return "", "", fmt.Errorf(errMissingSAK)
+		return "", "", errors.New(errMissingSAK)
 	}
 
 	return string(username), string(password), nil
@@ -103,7 +104,7 @@ func NewDevice42Provider() *Device42 {
 func (p *Device42) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Device42 == nil {
-		return nil, fmt.Errorf("no store type or wrong store type")
+		return nil, errors.New("no store type or wrong store type")
 	}
 	storeSpecDevice42 := storeSpec.Provider.Device42
 
@@ -125,7 +126,7 @@ func (p *Device42) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 }
 
 func (p *Device42) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 func (p *Device42) Validate() (esv1beta1.ValidationResult, error) {
@@ -139,20 +140,20 @@ func (p *Device42) Validate() (esv1beta1.ValidationResult, error) {
 }
 
 func (p *Device42) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (p *Device42) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
-	return nil, fmt.Errorf(errNotImplemented)
+	return nil, errors.New(errNotImplemented)
 }
 
 func (p *Device42) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (p *Device42) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(p.client) {
-		return nil, fmt.Errorf(errUninitializedProvider)
+		return nil, errors.New(errUninitializedProvider)
 	}
 
 	data, err := p.client.GetSecret(ref.Key)

pkg/provider/device42/device42_api.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -119,7 +120,7 @@ func (api *API) GetSecret(secretID string) (D42Password, error) {
 }
 
 func (api *API) GetSecretMap(_ context.Context, _ esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	return nil, fmt.Errorf(errNotImplemented)
+	return nil, errors.New(errNotImplemented)
 }
 
 func (s D42Password) ToMap() map[string][]byte {

pkg/provider/doppler/client.go

@@ -17,6 +17,7 @@ package doppler
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -119,7 +120,7 @@ func (c *Client) DeleteSecret(_ context.Context, ref esv1beta1.PushSecretRemoteR
 }
 
 func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {

pkg/provider/doppler/doppler_test.go

@@ -16,7 +16,7 @@ package doppler
 
 import (
 	"context"
-	"fmt"
+	"errors"
 	"strings"
 	"testing"
 
@@ -191,7 +191,7 @@ func TestGetSecret(t *testing.T) {
 		pstc.request.Name = missingSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setInvalidSecret := func(pstc *dopplerTestCase) {
@@ -200,14 +200,14 @@ func TestGetSecret(t *testing.T) {
 		pstc.request.Name = invalidSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setClientError := func(pstc *dopplerTestCase) {
 		pstc.label = "invalid client error" //nolint:goconst
 		pstc.response = &client.SecretResponse{}
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*dopplerTestCase{
@@ -254,7 +254,7 @@ func TestGetSecretMap(t *testing.T) {
 		pstc.label = "client error"
 		pstc.response = &client.SecretResponse{}
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*dopplerTestCase{
@@ -300,14 +300,14 @@ func TestDeleteSecret(t *testing.T) {
 		pstc.request = makeValidDeleteRequest()
 		pstc.remoteRef.RemoteKey = invalidRemoteKey
 		pstc.expectError = missingDeleteErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setClientError := func(pstc *updateSecretCase) {
 		pstc.label = "invalid client error"
 		pstc.request = makeValidDeleteRequest()
 		pstc.expectError = missingDeleteErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*updateSecretCase{
@@ -337,7 +337,7 @@ func TestPushSecret(t *testing.T) {
 		pstc.label = "push missing secret key"
 		pstc.secretData = makeSecretData(invalidSecret, *makeValidPushRemoteRef())
 		pstc.expectError = missingPushErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	pushMissingRemoteSecret := func(pstc *updateSecretCase) {
@@ -349,13 +349,13 @@ func TestPushSecret(t *testing.T) {
 			},
 		)
 		pstc.expectError = missingPushErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setClientError := func(pstc *updateSecretCase) {
 		pstc.label = "invalid client error"
 		pstc.expectError = missingPushErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*updateSecretCase{
@@ -418,12 +418,12 @@ func TestValidateStore(t *testing.T) {
 		{
 			label: "invalid store missing dopplerToken.name",
 			store: makeSecretStore(withAuth("", "", nil)),
-			err:   fmt.Errorf("invalid store: dopplerToken.name cannot be empty"),
+			err:   errors.New("invalid store: dopplerToken.name cannot be empty"),
 		},
 		{
 			label: "invalid store namespace not allowed",
 			store: makeSecretStore(withAuth(secretName, "", &namespace)),
-			err:   fmt.Errorf("invalid store: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("invalid store: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			label: "valid provide optional dopplerToken.key",

pkg/provider/doppler/fake/fake.go

@@ -15,7 +15,7 @@ limitations under the License.
 package fake
 
 import (
-	"fmt"
+	"errors"
 	"net/url"
 
 	"github.com/google/go-cmp/cmp"
@@ -53,7 +53,7 @@ func (dc *DopplerClient) WithValue(request client.SecretRequest, response *clien
 	if dc != nil {
 		dc.getSecret = func(requestIn client.SecretRequest) (*client.SecretResponse, error) {
 			if !cmp.Equal(requestIn, request) {
-				return nil, fmt.Errorf("unexpected test argument")
+				return nil, errors.New("unexpected test argument")
 			}
 			return response, err
 		}
@@ -64,7 +64,7 @@ func (dc *DopplerClient) WithUpdateValue(request client.UpdateSecretsRequest, er
 	if dc != nil {
 		dc.updateSecrets = func(requestIn client.UpdateSecretsRequest) error {
 			if !cmp.Equal(requestIn, request) {
-				return fmt.Errorf("unexpected test argument")
+				return errors.New("unexpected test argument")
 			}
 			return err
 		}

pkg/provider/doppler/provider.go

@@ -16,6 +16,7 @@ package doppler
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"strconv"
@@ -55,7 +56,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 	storeSpec := store.GetSpec()
 
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Doppler == nil {
-		return nil, fmt.Errorf(errDopplerStore)
+		return nil, errors.New(errDopplerStore)
 	}
 
 	dopplerStoreSpec := storeSpec.Provider.Doppler

pkg/provider/fake/fake.go

@@ -17,6 +17,7 @@ package fake
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -31,8 +32,8 @@ import (
 )
 
 var (
-	errMissingStore        = fmt.Errorf("missing store provider")
-	errMissingFakeProvider = fmt.Errorf("missing store provider fake")
+	errMissingStore        = errors.New("missing store provider")
+	errMissingFakeProvider = errors.New("missing store provider fake")
 	errMissingKeyField     = "key must be set in data %v"
 	errMissingValueField   = "at least one of value or valueMap must be set in data %v"
 )
@@ -129,7 +130,7 @@ func (p *Provider) PushSecret(_ context.Context, secret *corev1.Secret, data esv
 	}
 
 	if currentData.Origin != FakeSetSecret {
-		return fmt.Errorf("key already exists")
+		return errors.New("key already exists")
 	}
 	currentData.Value = string(value)
 

pkg/provider/gcp/secretmanager/auth.go

@@ -16,6 +16,7 @@ package secretmanager
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"golang.org/x/oauth2"
@@ -33,7 +34,7 @@ func NewTokenSource(ctx context.Context, auth esv1beta1.GCPSMAuth, projectID, st
 	}
 	wi, err := newWorkloadIdentity(ctx, projectID)
 	if err != nil {
-		return nil, fmt.Errorf("unable to initialize workload identity")
+		return nil, errors.New("unable to initialize workload identity")
 	}
 	defer wi.Close()
 	isClusterKind := storeKind == esv1beta1.ClusterSecretStoreKind

pkg/provider/gcp/secretmanager/client.go

@@ -50,8 +50,6 @@ const (
 	errGCPSMStore                   = "received invalid GCPSM SecretStore resource"
 	errUnableGetCredentials         = "unable to get credentials: %w"
 	errClientClose                  = "unable to close SecretManager client: %w"
-	errMissingStoreSpec             = "invalid: missing store spec"
-	errFetchSAKSecret               = "could not fetch SecretAccessKey secret: %w"
 	errUnableProcessJSONCredentials = "failed to process the provided JSON credentials: %w"
 	errUnableCreateGCPSMClient      = "failed to create GCP secretmanager client: %w"
 	errUninitalizedGCPProvider      = "provider GCP is not initialized"
@@ -131,7 +129,7 @@ func parseError(err error) error {
 }
 
 func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 // PushSecret pushes a kubernetes secret key into gcp provider Secret.
@@ -414,7 +412,7 @@ func (c *Client) extractProjectIDNumber(secretFullName string) string {
 // GetSecret returns a single secret from the provider.
 func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(c.smClient) || c.store.ProjectID == "" {
-		return nil, fmt.Errorf(errUninitalizedGCPProvider)
+		return nil, errors.New(errUninitalizedGCPProvider)
 	}
 
 	if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
@@ -527,7 +525,7 @@ func (c *Client) getSecretMetadata(ctx context.Context, ref esv1beta1.ExternalSe
 // GetSecretMap returns multiple k/v pairs from the provider.
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if c.smClient == nil || c.store.ProjectID == "" {
-		return nil, fmt.Errorf(errUninitalizedGCPProvider)
+		return nil, errors.New(errUninitalizedGCPProvider)
 	}
 
 	data, err := c.GetSecret(ctx, ref)

pkg/provider/gcp/secretmanager/client_test.go

@@ -100,7 +100,7 @@ func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTest
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *secretManagerTestCase) {
-	smtc.apiErr = fmt.Errorf("oh no")
+	smtc.apiErr = errors.New("oh no")
 	smtc.expectError = "oh no"
 }
 
@@ -517,7 +517,7 @@ func TestPushSecret(t *testing.T) {
 	canceledError := status.Error(codes.Canceled, "canceled")
 	canceledError, _ = apierror.FromError(canceledError)
 
-	APIerror := fmt.Errorf("API Error")
+	APIerror := errors.New("API Error")
 	labelError := fmt.Errorf("secret %v is not managed by external secrets", remoteKey)
 
 	secret := secretmanagerpb.Secret{
@@ -672,16 +672,16 @@ func TestPushSecret(t *testing.T) {
 				req: func(m *fakesm.MockSMClient) error {
 					req, ok := m.CreateSecretCalledWithN[0]
 					if !ok {
-						return fmt.Errorf("index 0 for call not found in the list of calls")
+						return errors.New("index 0 for call not found in the list of calls")
 					}
 
 					user, ok := req.Secret.Replication.Replication.(*secretmanagerpb.Replication_UserManaged_)
 					if !ok {
-						return fmt.Errorf("req.Secret.Replication.Replication was not of type *secretmanagerpb.Replication_UserManaged_")
+						return errors.New("req.Secret.Replication.Replication was not of type *secretmanagerpb.Replication_UserManaged_")
 					}
 
 					if len(user.UserManaged.Replicas) < 1 {
-						return fmt.Errorf("req.Secret.Replication.Replication.Replicas was not empty")
+						return errors.New("req.Secret.Replication.Replication.Replicas was not empty")
 					}
 
 					if user.UserManaged.Replicas[0].Location != "us-east-1" {
@@ -702,7 +702,7 @@ func TestPushSecret(t *testing.T) {
 				},
 				GetSecretMockReturn: fakesm.SecretMockReturn{Secret: &secret, Err: nil}},
 			want: want{
-				err: fmt.Errorf("failed to decode PushSecret metadata"),
+				err: errors.New("failed to decode PushSecret metadata"),
 			},
 		},
 		{

pkg/provider/gcp/secretmanager/fake/fake.go

@@ -198,7 +198,7 @@ func (mc *MockSMClient) WithValue(_ context.Context, req *secretmanagerpb.Access
 			// type secretmanagerpb.AccessSecretVersionRequest contains unexported fields
 			// use cmpopts.IgnoreUnexported to ignore all the unexported fields in the cmp.
 			if !cmp.Equal(paramReq, req, cmpopts.IgnoreUnexported(secretmanagerpb.AccessSecretVersionRequest{})) {
-				return nil, fmt.Errorf("unexpected test argument")
+				return nil, errors.New("unexpected test argument")
 			}
 			return val, err
 		}

pkg/provider/gcp/secretmanager/provider.go

@@ -16,6 +16,7 @@ package secretmanager
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"sync"
 
@@ -60,7 +61,7 @@ func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
 func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.GCPSM == nil {
-		return nil, fmt.Errorf(errGCPSMStore)
+		return nil, errors.New(errGCPSMStore)
 	}
 	gcpStore := storeSpec.Provider.GCPSM
 
@@ -113,18 +114,18 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 
 func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
-		return nil, fmt.Errorf(errInvalidStore)
+		return nil, errors.New(errInvalidStore)
 	}
 	spc := store.GetSpec()
 	if spc == nil {
-		return nil, fmt.Errorf(errInvalidStoreSpec)
+		return nil, errors.New(errInvalidStoreSpec)
 	}
 	if spc.Provider == nil {
-		return nil, fmt.Errorf(errInvalidStoreProv)
+		return nil, errors.New(errInvalidStoreProv)
 	}
 	g := spc.Provider.GCPSM
 	if p == nil {
-		return nil, fmt.Errorf(errInvalidGCPProv)
+		return nil, errors.New(errInvalidGCPProv)
 	}
 	if g.Auth.SecretRef != nil {
 		if err := utils.ValidateReferentSecretSelector(store, g.Auth.SecretRef.SecretAccessKey); err != nil {
@@ -145,7 +146,7 @@ func clusterProjectID(spec *esv1beta1.SecretStoreSpec) (string, error) {
 	} else if spec.Provider.GCPSM.ProjectID != "" {
 		return spec.Provider.GCPSM.ProjectID, nil
 	} else {
-		return "", fmt.Errorf(errNoProjectID)
+		return "", errors.New(errNoProjectID)
 	}
 }
 

pkg/provider/gitlab/gitlab.go

@@ -17,6 +17,7 @@ package gitlab
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"sort"
@@ -89,21 +90,21 @@ func (g *gitlabBase) getAuth(ctx context.Context) (string, error) {
 }
 
 func (g *gitlabBase) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (g *gitlabBase) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 func (g *gitlabBase) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 // GetAllSecrets syncs all gitlab project and group variables into a single Kubernetes Secret.
 func (g *gitlabBase) GetAllSecrets(_ context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	if utils.IsNil(g.projectVariablesClient) {
-		return nil, fmt.Errorf(errUninitializedGitlabProvider)
+		return nil, errors.New(errUninitializedGitlabProvider)
 	}
 	var effectiveEnvironment = g.store.Environment
 	if ref.Tags != nil {
@@ -112,15 +113,15 @@ func (g *gitlabBase) GetAllSecrets(_ context.Context, ref esv1beta1.ExternalSecr
 			return nil, err
 		}
 		if !isEmptyOrWildcard(effectiveEnvironment) && !isEmptyOrWildcard(environment) {
-			return nil, fmt.Errorf(errEnvironmentIsConstricted)
+			return nil, errors.New(errEnvironmentIsConstricted)
 		}
 		effectiveEnvironment = environment
 	}
 	if ref.Path != nil {
-		return nil, fmt.Errorf(errPathNotImplemented)
+		return nil, errors.New(errPathNotImplemented)
 	}
 	if ref.Name == nil {
-		return nil, fmt.Errorf(errNameNotDefined)
+		return nil, errors.New(errNameNotDefined)
 	}
 
 	var matcher *find.Matcher
@@ -193,7 +194,7 @@ func ExtractTag(tags map[string]string) (string, error) {
 	var environmentScope string
 	for tag, value := range tags {
 		if tag != "environment_scope" {
-			return "", fmt.Errorf(errTagsOnlyEnvironmentSupported)
+			return "", errors.New(errTagsOnlyEnvironmentSupported)
 		}
 		environmentScope = value
 	}
@@ -202,7 +203,7 @@ func ExtractTag(tags map[string]string) (string, error) {
 
 func (g *gitlabBase) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(g.projectVariablesClient) || utils.IsNil(g.groupVariablesClient) {
-		return nil, fmt.Errorf(errUninitializedGitlabProvider)
+		return nil, errors.New(errUninitializedGitlabProvider)
 	}
 
 	// Need to replace hyphens with underscores to work with GitLab API

pkg/provider/gitlab/gitlab_test.go

@@ -17,6 +17,7 @@ package gitlab
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -256,14 +257,14 @@ func prepareMockGroupVarClient(smtc *secretManagerTestCase) {
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *secretManagerTestCase) {
-	smtc.apiErr = fmt.Errorf("oh no")
+	smtc.apiErr = errors.New("oh no")
 	smtc.expectError = "oh no"
 	smtc.projectAPIResponse.Response.StatusCode = http.StatusInternalServerError
 	smtc.expectedValidationResult = esv1beta1.ValidationResultError
 }
 
 var setListAPIErr = func(smtc *secretManagerTestCase) {
-	err := fmt.Errorf("oh no")
+	err := errors.New("oh no")
 	smtc.apiErr = err
 	smtc.expectError = fmt.Errorf(errList, err).Error()
 	smtc.expectedValidationResult = esv1beta1.ValidationResultError
@@ -845,23 +846,23 @@ func TestValidateStore(t *testing.T) {
 	testCases := []ValidateStoreTestCase{
 		{
 			store: makeSecretStore("", environment),
-			err:   fmt.Errorf("projectID and groupIDs must not both be empty"),
+			err:   errors.New("projectID and groupIDs must not both be empty"),
 		},
 		{
 			store: makeSecretStore(project, environment, withGroups([]string{"group1"}, true)),
-			err:   fmt.Errorf("defining groupIDs and inheritFromGroups = true is not allowed"),
+			err:   errors.New("defining groupIDs and inheritFromGroups = true is not allowed"),
 		},
 		{
 			store: makeSecretStore(project, environment, withAccessToken("", userkey, nil)),
-			err:   fmt.Errorf("accessToken.name cannot be empty"),
+			err:   errors.New("accessToken.name cannot be empty"),
 		},
 		{
 			store: makeSecretStore(project, environment, withAccessToken(username, "", nil)),
-			err:   fmt.Errorf("accessToken.key cannot be empty"),
+			err:   errors.New("accessToken.key cannot be empty"),
 		},
 		{
 			store: makeSecretStore(project, environment, withAccessToken("userName", "userKey", &namespace)),
-			err:   fmt.Errorf("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			store: makeSecretStore(project, environment, withAccessToken("userName", "userKey", nil)),

pkg/provider/gitlab/provider.go

@@ -16,7 +16,7 @@ package gitlab
 
 import (
 	"context"
-	"fmt"
+	"errors"
 
 	"github.com/xanzy/go-gitlab"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -50,7 +50,7 @@ func (g *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
 func (g *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Gitlab == nil {
-		return nil, fmt.Errorf("no store type or wrong store type")
+		return nil, errors.New("no store type or wrong store type")
 	}
 	storeSpecGitlab := storeSpec.Provider.Gitlab
 
@@ -106,19 +106,19 @@ func (g *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 
 	if gitlabSpec.ProjectID == "" && len(gitlabSpec.GroupIDs) == 0 {
-		return nil, fmt.Errorf("projectID and groupIDs must not both be empty")
+		return nil, errors.New("projectID and groupIDs must not both be empty")
 	}
 
 	if gitlabSpec.InheritFromGroups && len(gitlabSpec.GroupIDs) > 0 {
-		return nil, fmt.Errorf("defining groupIDs and inheritFromGroups = true is not allowed")
+		return nil, errors.New("defining groupIDs and inheritFromGroups = true is not allowed")
 	}
 
 	if accessToken.Key == "" {
-		return nil, fmt.Errorf("accessToken.key cannot be empty")
+		return nil, errors.New("accessToken.key cannot be empty")
 	}
 
 	if accessToken.Name == "" {
-		return nil, fmt.Errorf("accessToken.name cannot be empty")
+		return nil, errors.New("accessToken.name cannot be empty")
 	}
 
 	return nil, nil

pkg/provider/ibm/provider.go

@@ -17,6 +17,7 @@ package ibm
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -98,27 +99,27 @@ func (c *client) setAuth(ctx context.Context) error {
 }
 
 func (ibm *providerIBM) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (ibm *providerIBM) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 // Not Implemented PushSecret.
 func (ibm *providerIBM) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 // Empty GetAllSecrets.
 func (ibm *providerIBM) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented
-	return nil, fmt.Errorf(errNotImplemented)
+	return nil, errors.New(errNotImplemented)
 }
 
 func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
-		return nil, fmt.Errorf(errUninitalizedIBMProvider)
+		return nil, errors.New(errUninitalizedIBMProvider)
 	}
 
 	var secretGroupName string
@@ -143,7 +144,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
 	case sm.Secret_SecretType_UsernamePassword:
 
 		if ref.Property == "" {
-			return nil, fmt.Errorf("remoteRef.property required for secret type username_password")
+			return nil, errors.New("remoteRef.property required for secret type username_password")
 		}
 		return getUsernamePasswordSecret(ibm, &secretName, ref, secretGroupName)
 
@@ -158,7 +159,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
 	case sm.Secret_SecretType_ImportedCert:
 
 		if ref.Property == "" {
-			return nil, fmt.Errorf("remoteRef.property required for secret type imported_cert")
+			return nil, errors.New("remoteRef.property required for secret type imported_cert")
 		}
 
 		return getImportCertSecret(ibm, &secretName, ref, secretGroupName)
@@ -166,7 +167,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
 	case sm.Secret_SecretType_PublicCert:
 
 		if ref.Property == "" {
-			return nil, fmt.Errorf("remoteRef.property required for secret type public_cert")
+			return nil, errors.New("remoteRef.property required for secret type public_cert")
 		}
 
 		return getPublicCertSecret(ibm, &secretName, ref, secretGroupName)
@@ -174,7 +175,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
 	case sm.Secret_SecretType_PrivateCert:
 
 		if ref.Property == "" {
-			return nil, fmt.Errorf("remoteRef.property required for secret type private_cert")
+			return nil, errors.New("remoteRef.property required for secret type private_cert")
 		}
 
 		return getPrivateCertSecret(ibm, &secretName, ref, secretGroupName)
@@ -361,7 +362,7 @@ func getSecretData(ibm *providerIBM, secretName *string, secretType, secretGroup
 		// secret name has been provided instead of id
 		if secretGroupName == "" {
 			// secret group name is not provided
-			return nil, fmt.Errorf("failed to fetch the secret, secret group name is missing")
+			return nil, errors.New("failed to fetch the secret, secret group name is missing")
 		}
 
 		// secret group name is provided along with secret name,
@@ -398,7 +399,7 @@ func getSecretData(ibm *providerIBM, secretName *string, secretType, secretGroup
 
 func (ibm *providerIBM) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
-		return nil, fmt.Errorf(errUninitalizedIBMProvider)
+		return nil, errors.New(errUninitalizedIBMProvider)
 	}
 	var secretGroupName string
 	secretType := sm.Secret_SecretType_Arbitrary
@@ -545,7 +546,7 @@ func (ibm *providerIBM) ValidateStore(store esv1beta1.GenericStore) (admission.W
 	storeSpec := store.GetSpec()
 	ibmSpec := storeSpec.Provider.IBM
 	if ibmSpec.ServiceURL == nil {
-		return nil, fmt.Errorf("serviceURL is required")
+		return nil, errors.New("serviceURL is required")
 	}
 
 	containerRef := ibmSpec.Auth.ContainerAuth
@@ -557,15 +558,15 @@ func (ibm *providerIBM) ValidateStore(store esv1beta1.GenericStore) (admission.W
 	if missingContainerRef == missingSecretRef {
 		// since both are equal, if one is missing assume both are missing
 		if missingContainerRef {
-			return nil, fmt.Errorf("missing auth method")
+			return nil, errors.New("missing auth method")
 		}
-		return nil, fmt.Errorf("too many auth methods defined")
+		return nil, errors.New("too many auth methods defined")
 	}
 
 	if !missingContainerRef {
 		// catch undefined container auth profile
 		if containerRef.Profile == "" {
-			return nil, fmt.Errorf("container auth profile cannot be empty")
+			return nil, errors.New("container auth profile cannot be empty")
 		}
 
 		// proceed with container auth
@@ -585,10 +586,10 @@ func (ibm *providerIBM) ValidateStore(store esv1beta1.GenericStore) (admission.W
 		return nil, err
 	}
 	if secretKeyRef.Name == "" {
-		return nil, fmt.Errorf("secretAPIKey.name cannot be empty")
+		return nil, errors.New("secretAPIKey.name cannot be empty")
 	}
 	if secretKeyRef.Key == "" {
-		return nil, fmt.Errorf("secretAPIKey.key cannot be empty")
+		return nil, errors.New("secretAPIKey.key cannot be empty")
 	}
 
 	return nil, nil

pkg/provider/ibm/provider_test.go

@@ -17,6 +17,7 @@ package ibm
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"reflect"
 	"strconv"
@@ -144,7 +145,7 @@ func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTest
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *secretManagerTestCase) {
-	smtc.apiErr = fmt.Errorf("oh no")
+	smtc.apiErr = errors.New("oh no")
 	smtc.expectError = "oh no"
 }
 
@@ -165,7 +166,7 @@ func TestValidateStore(t *testing.T) {
 	}
 	_, err := p.ValidateStore(store)
 	if err == nil {
-		t.Errorf(errExpectedErr)
+		t.Error(errExpectedErr)
 	} else if err.Error() != "serviceURL is required" {
 		t.Errorf("service URL test failed")
 	}
@@ -173,7 +174,7 @@ func TestValidateStore(t *testing.T) {
 	store.Spec.Provider.IBM.ServiceURL = &url
 	_, err = p.ValidateStore(store)
 	if err == nil {
-		t.Errorf(errExpectedErr)
+		t.Error(errExpectedErr)
 	} else if err.Error() != "missing auth method" {
 		t.Errorf("KeySelector test failed: expected missing auth method, got %v", err)
 	}
@@ -187,7 +188,7 @@ func TestValidateStore(t *testing.T) {
 	}
 	_, err = p.ValidateStore(store)
 	if err == nil {
-		t.Errorf(errExpectedErr)
+		t.Error(errExpectedErr)
 	} else if err.Error() != "namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore" {
 		t.Errorf("KeySelector test failed: expected namespace not allowed, got %v", err)
 	}

pkg/provider/keepersecurity/client.go

@@ -127,10 +127,10 @@ func (c *Client) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDat
 
 func (c *Client) GetAllSecrets(_ context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	if ref.Tags != nil {
-		return nil, fmt.Errorf(errTagsNotImplemented)
+		return nil, errors.New(errTagsNotImplemented)
 	}
 	if ref.Path != nil {
-		return nil, fmt.Errorf(errPathNotImplemented)
+		return nil, errors.New(errPathNotImplemented)
 	}
 	secretData := make(map[string][]byte)
 	records, err := c.findSecrets()
@@ -164,7 +164,7 @@ func (c *Client) Close(_ context.Context) error {
 
 func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
 	if data.GetSecretKey() == "" {
-		return fmt.Errorf("pushing the whole secret is not yet implemented")
+		return errors.New("pushing the whole secret is not yet implemented")
 	}
 
 	value := secret.Data[data.GetSecretKey()]
@@ -213,7 +213,7 @@ func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1beta1.PushSecretR
 }
 
 func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (c *Client) buildSecretNameAndKey(remoteRef esv1beta1.PushSecretRemoteRef) ([]string, error) {

pkg/provider/keepersecurity/provider.go

@@ -16,6 +16,7 @@ package keepersecurity
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	ksm "github.com/keeper-security/secrets-manager-go/core"
@@ -29,16 +30,13 @@ import (
 )
 
 const (
-	errKeeperSecurityUnableToCreateConfig           = "unable to create valid KeeperSecurity config: %w"
-	errKeeperSecurityStore                          = "received invalid KeeperSecurity SecretStore resource: %s"
-	errKeeperSecurityNilSpec                        = "nil spec"
-	errKeeperSecurityNilSpecProvider                = "nil spec.provider"
-	errKeeperSecurityNilSpecProviderKeeperSecurity  = "nil spec.provider.keepersecurity"
-	errKeeperSecurityStoreMissingAuth               = "missing: spec.provider.keepersecurity.auth"
-	errKeeperSecurityStoreMissingFolderID           = "missing: spec.provider.keepersecurity.folderID"
-	errInvalidClusterStoreMissingK8sSecretNamespace = "invalid ClusterSecretStore: missing KeeperSecurity k8s Auth Secret Namespace"
-	errFetchK8sSecret                               = "could not fetch k8s Secret: %w"
-	errMissingK8sSecretKey                          = "missing Secret key: %s"
+	errKeeperSecurityUnableToCreateConfig          = "unable to create valid KeeperSecurity config: %w"
+	errKeeperSecurityStore                         = "received invalid KeeperSecurity SecretStore resource: %s"
+	errKeeperSecurityNilSpec                       = "nil spec"
+	errKeeperSecurityNilSpecProvider               = "nil spec.provider"
+	errKeeperSecurityNilSpecProviderKeeperSecurity = "nil spec.provider.keepersecurity"
+	errKeeperSecurityStoreMissingAuth              = "missing: spec.provider.keepersecurity.auth"
+	errKeeperSecurityStoreMissingFolderID          = "missing: spec.provider.keepersecurity.folderID"
 )
 
 // Provider implements the necessary NewClient() and ValidateStore() funcs.
@@ -90,23 +88,23 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 	spc := store.GetSpec()
 	if spc == nil {
-		return nil, fmt.Errorf(errKeeperSecurityNilSpec)
+		return nil, errors.New(errKeeperSecurityNilSpec)
 	}
 	if spc.Provider == nil {
-		return nil, fmt.Errorf(errKeeperSecurityNilSpecProvider)
+		return nil, errors.New(errKeeperSecurityNilSpecProvider)
 	}
 	if spc.Provider.KeeperSecurity == nil {
-		return nil, fmt.Errorf(errKeeperSecurityNilSpecProviderKeeperSecurity)
+		return nil, errors.New(errKeeperSecurityNilSpecProviderKeeperSecurity)
 	}
 
 	// check mandatory fields
 	config := spc.Provider.KeeperSecurity
 
 	if err := utils.ValidateSecretSelector(store, config.Auth); err != nil {
-		return nil, fmt.Errorf(errKeeperSecurityStoreMissingAuth)
+		return nil, errors.New(errKeeperSecurityStoreMissingAuth)
 	}
 	if config.FolderID == "" {
-		return nil, fmt.Errorf(errKeeperSecurityStoreMissingFolderID)
+		return nil, errors.New(errKeeperSecurityStoreMissingFolderID)
 	}
 
 	return nil, nil

pkg/provider/kubernetes/auth.go

@@ -16,6 +16,7 @@ package kubernetes
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	authenticationv1 "k8s.io/api/authentication/v1"
@@ -66,7 +67,7 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
 			return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
 		}
 	} else {
-		return nil, fmt.Errorf("no auth provider given")
+		return nil, errors.New("no auth provider given")
 	}
 
 	var key, cert []byte
@@ -78,7 +79,7 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
 	}
 
 	if c.store.Server.URL == "" {
-		return nil, fmt.Errorf("no server URL provided")
+		return nil, errors.New("no server URL provided")
 	}
 
 	return &rest.Config{

pkg/provider/kubernetes/client.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"reflect"
 	"strings"
@@ -77,7 +78,7 @@ func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 
 func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	if remoteRef.GetProperty() == "" {
-		return fmt.Errorf("requires property in RemoteRef to delete secret value")
+		return errors.New("requires property in RemoteRef to delete secret value")
 	}
 
 	extSecret, getErr := c.userSecretClient.Get(ctx, remoteRef.GetRemoteKey(), metav1.GetOptions{})
@@ -101,12 +102,12 @@ func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecre
 }
 
 func (c *Client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (c *Client) PushSecret(ctx context.Context, secret *v1.Secret, data esv1beta1.PushSecretData) error {
 	if data.GetProperty() == "" && data.GetSecretKey() != "" {
-		return fmt.Errorf("requires property in RemoteRef to push secret value if secret key is defined")
+		return errors.New("requires property in RemoteRef to push secret value if secret key is defined")
 	}
 
 	extSecret, getErr := c.userSecretClient.Get(ctx, data.GetRemoteKey(), metav1.GetOptions{})

pkg/provider/kubernetes/provider.go

@@ -16,6 +16,7 @@ package kubernetes
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	authv1 "k8s.io/api/authorization/v1"
@@ -101,7 +102,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 func (p *Provider) newClient(ctx context.Context, store esv1beta1.GenericStore, ctrlClient kclient.Client, ctrlClientset kubernetes.Interface, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Kubernetes == nil {
-		return nil, fmt.Errorf("no store type or wrong store type")
+		return nil, errors.New("no store type or wrong store type")
 	}
 	storeSpecKubernetes := storeSpec.Provider.Kubernetes
 	client := &Client{

pkg/provider/kubernetes/validate.go

@@ -16,6 +16,7 @@ package kubernetes
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	authv1 "k8s.io/api/authorization/v1"
@@ -32,19 +33,19 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	storeSpec := store.GetSpec()
 	k8sSpec := storeSpec.Provider.Kubernetes
 	if k8sSpec.AuthRef == nil && k8sSpec.Server.CABundle == nil && k8sSpec.Server.CAProvider == nil {
-		return nil, fmt.Errorf("a CABundle or CAProvider is required")
+		return nil, errors.New("a CABundle or CAProvider is required")
 	}
 	if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind &&
 		k8sSpec.Server.CAProvider != nil &&
 		k8sSpec.Server.CAProvider.Namespace == nil {
-		return nil, fmt.Errorf("CAProvider.namespace must not be empty with ClusterSecretStore")
+		return nil, errors.New("CAProvider.namespace must not be empty with ClusterSecretStore")
 	}
 	if k8sSpec.Auth.Cert != nil {
 		if k8sSpec.Auth.Cert.ClientCert.Name == "" {
-			return nil, fmt.Errorf("ClientCert.Name cannot be empty")
+			return nil, errors.New("ClientCert.Name cannot be empty")
 		}
 		if k8sSpec.Auth.Cert.ClientCert.Key == "" {
-			return nil, fmt.Errorf("ClientCert.Key cannot be empty")
+			return nil, errors.New("ClientCert.Key cannot be empty")
 		}
 		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Cert.ClientCert); err != nil {
 			return nil, err
@@ -52,10 +53,10 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 	}
 	if k8sSpec.Auth.Token != nil {
 		if k8sSpec.Auth.Token.BearerToken.Name == "" {
-			return nil, fmt.Errorf("BearerToken.Name cannot be empty")
+			return nil, errors.New("BearerToken.Name cannot be empty")
 		}
 		if k8sSpec.Auth.Token.BearerToken.Key == "" {
-			return nil, fmt.Errorf("BearerToken.Key cannot be empty")
+			return nil, errors.New("BearerToken.Key cannot be empty")
 		}
 		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Token.BearerToken); err != nil {
 			return nil, err
@@ -94,7 +95,7 @@ func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
 			return esv1beta1.ValidationResultReady, nil
 		}
 	}
-	return esv1beta1.ValidationResultError, fmt.Errorf("client is not allowed to get secrets")
+	return esv1beta1.ValidationResultError, errors.New("client is not allowed to get secrets")
 }
 
 func contains(sub string, args []string) bool {

pkg/provider/onboardbase/client.go

@@ -17,6 +17,7 @@ package onboardbase
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -71,7 +72,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.OnboardbaseAPIKeyRef.Name
 	if credentialsSecretName == "" {
-		return fmt.Errorf(errOnboardbaseAPIKeySecretName)
+		return errors.New(errOnboardbaseAPIKeySecretName)
 	}
 	objectKey := types.NamespacedName{
 		Name:      credentialsSecretName,
@@ -80,7 +81,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	// only ClusterStore is allowed to set namespace (and then it's required)
 	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.OnboardbaseAPIKeyRef.Namespace == nil {
-			return fmt.Errorf(errInvalidClusterStoreMissingOnboardbaseAPIKeyNamespace)
+			return errors.New(errInvalidClusterStoreMissingOnboardbaseAPIKeyNamespace)
 		}
 		objectKey.Namespace = *c.store.Auth.OnboardbaseAPIKeyRef.Namespace
 	}
@@ -188,7 +189,7 @@ func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretD
 
 func (c *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	if len(ref.Tags) > 0 {
-		return nil, fmt.Errorf("find by tags not supported")
+		return nil, errors.New("find by tags not supported")
 	}
 
 	secrets, err := c.getSecrets(ctx)

pkg/provider/onboardbase/fake/fake.go

@@ -15,7 +15,7 @@ limitations under the License.
 package fake
 
 import (
-	"fmt"
+	"errors"
 	"net/url"
 
 	"github.com/google/go-cmp/cmp"
@@ -51,7 +51,7 @@ func (obbc *OnboardbaseClient) WithValue(request client.SecretRequest, response
 	if obbc != nil {
 		obbc.getSecret = func(requestIn client.SecretRequest) (*client.SecretResponse, error) {
 			if !cmp.Equal(requestIn, request) {
-				return nil, fmt.Errorf("unexpected test argument")
+				return nil, errors.New("unexpected test argument")
 			}
 			return response, err
 		}

pkg/provider/onboardbase/onboardbase_test.go

@@ -16,7 +16,7 @@ package onboardbase
 
 import (
 	"context"
-	"fmt"
+	"errors"
 	"strings"
 	"testing"
 
@@ -128,7 +128,7 @@ func TestGetSecret(t *testing.T) {
 		pstc.request.Name = missingSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setInvalidSecret := func(pstc *onboardbaseTestCase) {
@@ -137,14 +137,14 @@ func TestGetSecret(t *testing.T) {
 		pstc.request.Name = invalidSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setClientError := func(pstc *onboardbaseTestCase) {
 		pstc.label = "invalid client error"
 		pstc.response = &client.SecretResponse{}
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*onboardbaseTestCase{
@@ -175,7 +175,7 @@ func TestDeleteSecret(t *testing.T) {
 		pstc.request.Name = missingSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	setInvalidSecret := func(pstc *onboardbaseTestCase) {
@@ -185,7 +185,7 @@ func TestDeleteSecret(t *testing.T) {
 		pstc.request.Name = invalidSecret
 		pstc.response = nil
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	deleteSecret := func(pstc *onboardbaseTestCase) {
@@ -237,7 +237,7 @@ func TestGetSecretMap(t *testing.T) {
 		pstc.label = "client error"
 		pstc.response = &client.SecretResponse{}
 		pstc.expectError = missingSecretErr
-		pstc.apiErr = fmt.Errorf("")
+		pstc.apiErr = errors.New("")
 	}
 
 	testCases := []*onboardbaseTestCase{
@@ -319,17 +319,17 @@ func TestValidateStore(t *testing.T) {
 		{
 			label: "invalid store missing onboardbaseAPIKey.name",
 			store: makeSecretStore(withAuth("", "", nil, "")),
-			err:   fmt.Errorf("invalid store: onboardbaseAPIKey.name cannot be empty"),
+			err:   errors.New("invalid store: onboardbaseAPIKey.name cannot be empty"),
 		},
 		{
 			label: "invalid store missing onboardbasePasscode.name",
 			store: makeSecretStore(withAuth(secretName, "", nil, "")),
-			err:   fmt.Errorf("invalid store: onboardbasePasscode.name cannot be empty"),
+			err:   errors.New("invalid store: onboardbasePasscode.name cannot be empty"),
 		},
 		{
 			label: "invalid store namespace not allowed",
 			store: makeSecretStore(withAuth(secretName, "", &namespace, "passcode")),
-			err:   fmt.Errorf("invalid store: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("invalid store: namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			label: "valid provide optional onboardbaseAPIKey.key",

pkg/provider/onboardbase/provider.go

@@ -16,6 +16,7 @@ package onboardbase
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -53,7 +54,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 	storeSpec := store.GetSpec()
 
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Onboardbase == nil {
-		return nil, fmt.Errorf(errOnboardbaseStore)
+		return nil, errors.New(errOnboardbaseStore)
 	}
 
 	onboardbaseStoreSpec := storeSpec.Provider.Onboardbase

pkg/provider/onepassword/onepassword.go

@@ -121,22 +121,22 @@ func validateStore(store esv1beta1.GenericStore) error {
 	// check nils
 	storeSpec := store.GetSpec()
 	if storeSpec == nil {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNilSpec))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpec))
 	}
 	if storeSpec.Provider == nil {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNilSpecProvider))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProvider))
 	}
 	if storeSpec.Provider.OnePassword == nil {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNilSpecProviderOnePassword))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProviderOnePassword))
 	}
 
 	// check mandatory fields
 	config := storeSpec.Provider.OnePassword
 	if config.Auth.SecretRef.ConnectToken.Name == "" {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreMissingRefName))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefName))
 	}
 	if config.Auth.SecretRef.ConnectToken.Key == "" {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreMissingRefKey))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefKey))
 	}
 
 	// check namespace compared to kind
@@ -146,12 +146,12 @@ func validateStore(store esv1beta1.GenericStore) error {
 
 	// check at least one vault
 	if len(config.Vaults) == 0 {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreAtLeastOneVault))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreAtLeastOneVault))
 	}
 
 	// ensure vault numbers are unique
 	if !hasUniqueVaultNumbers(config.Vaults) {
-		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNonUniqueVaultNumbers))
+		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNonUniqueVaultNumbers))
 	}
 
 	// check valid URL
@@ -209,7 +209,7 @@ func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, ref esv1bet
 }
 
 func (provider *ProviderOnePassword) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 const (
@@ -332,7 +332,7 @@ func (provider *ProviderOnePassword) PushSecret(ctx context.Context, secret *cor
 // GetSecret returns a single secret from the provider.
 func (provider *ProviderOnePassword) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if ref.Version != "" {
-		return nil, fmt.Errorf(errVersionNotImplemented)
+		return nil, errors.New(errVersionNotImplemented)
 	}
 
 	item, err := provider.findItem(ref.Key)
@@ -366,7 +366,7 @@ func (provider *ProviderOnePassword) Validate() (esv1beta1.ValidationResult, err
 // GetSecretMap returns multiple k/v pairs from the provider, for dataFrom.extract.
 func (provider *ProviderOnePassword) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if ref.Version != "" {
-		return nil, fmt.Errorf(errVersionNotImplemented)
+		return nil, errors.New(errVersionNotImplemented)
 	}
 
 	item, err := provider.findItem(ref.Key)
@@ -386,7 +386,7 @@ func (provider *ProviderOnePassword) GetSecretMap(_ context.Context, ref esv1bet
 // GetAllSecrets syncs multiple 1Password Items into a single Kubernetes Secret, for dataFrom.find.
 func (provider *ProviderOnePassword) GetAllSecrets(_ context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	if ref.Tags != nil {
-		return nil, fmt.Errorf(errTagsNotImplemented)
+		return nil, errors.New(errTagsNotImplemented)
 	}
 
 	secretData := make(map[string][]byte)

pkg/provider/onepassword/onepassword_test.go

@@ -178,7 +178,7 @@ func TestFindItem(t *testing.T) {
 				{
 					checkNote:    "two vaults",
 					findItemName: myItem,
-					expectedErr:  fmt.Errorf("key not found in 1Password Vaults: my-item in: map[my-shared-vault:2 my-vault:1]"),
+					expectedErr:  errors.New("key not found in 1Password Vaults: my-item in: map[my-shared-vault:2 my-vault:1]"),
 				},
 			},
 		},
@@ -371,7 +371,7 @@ func TestValidateStore(t *testing.T) {
 					Provider: nil,
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNilSpecProvider)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProvider)),
 		},
 		{
 			checkNote: "invalid: nil OnePassword provider spec",
@@ -385,7 +385,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNilSpecProviderOnePassword)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProviderOnePassword)),
 		},
 		{
 			checkNote: "valid secretStore",
@@ -441,7 +441,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore")),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore")),
 		},
 		{
 			checkNote: "invalid: more than one vault with the same number",
@@ -469,7 +469,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreNonUniqueVaultNumbers)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNonUniqueVaultNumbers)),
 		},
 		{
 			checkNote: "valid: clusterSecretStore",
@@ -525,7 +525,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf("cluster scope requires namespace")),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New("cluster scope requires namespace")),
 		},
 		{
 			checkNote: "invalid: missing connectTokenSecretRef.name",
@@ -552,7 +552,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreMissingRefName)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefName)),
 		},
 		{
 			checkNote: "invalid: missing connectTokenSecretRef.key",
@@ -579,7 +579,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreMissingRefKey)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefKey)),
 		},
 		{
 			checkNote: "invalid: at least one vault",
@@ -604,7 +604,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreAtLeastOneVault)),
+			expectedErr: fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreAtLeastOneVault)),
 		},
 		{
 			checkNote: "invalid: url",
@@ -631,7 +631,7 @@ func TestValidateStore(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreInvalidConnectHost, fmt.Errorf("parse \":/invalid.invalid\": missing protocol scheme"))),
+			expectedErr: fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreInvalidConnectHost, errors.New("parse \":/invalid.invalid\": missing protocol scheme"))),
 		},
 	}
 
@@ -716,7 +716,7 @@ func TestGetSecret(t *testing.T) {
 						Property: key1,
 						Version:  "123",
 					},
-					expectedErr: fmt.Errorf(errVersionNotImplemented),
+					expectedErr: errors.New(errVersionNotImplemented),
 				},
 			},
 		},
@@ -764,7 +764,7 @@ func TestGetSecret(t *testing.T) {
 						Key:      myItem,
 						Property: "you-cant-find-me.png",
 					},
-					expectedErr: fmt.Errorf(errDocumentNotFound, fmt.Errorf("'my-item', 'you-cant-find-me.png'")),
+					expectedErr: fmt.Errorf(errDocumentNotFound, errors.New("'my-item', 'you-cant-find-me.png'")),
 				},
 			},
 		},
@@ -881,7 +881,7 @@ func TestGetSecretMap(t *testing.T) {
 						Property: key1,
 						Version:  "123",
 					},
-					expectedErr: fmt.Errorf(errVersionNotImplemented),
+					expectedErr: errors.New(errVersionNotImplemented),
 				},
 			},
 		},
@@ -1096,7 +1096,7 @@ func TestGetAllSecrets(t *testing.T) {
 							"asdf": "fdas",
 						},
 					},
-					expectedErr: fmt.Errorf(errTagsNotImplemented),
+					expectedErr: errors.New(errTagsNotImplemented),
 				},
 			},
 		},

pkg/provider/oracle/oracle.go

@@ -97,7 +97,7 @@ const (
 
 func (vms *VaultManagementService) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
 	if vms.encryptionKey == "" {
-		return fmt.Errorf("SecretStore must reference encryption key")
+		return errors.New("SecretStore must reference encryption key")
 	}
 	value := secret.Data[data.GetSecretKey()]
 	if data.GetSecretKey() == "" {
@@ -171,7 +171,7 @@ func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef e
 }
 
 func (vms *VaultManagementService) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
@@ -198,7 +198,7 @@ func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1be
 
 func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(vms.Client) {
-		return nil, fmt.Errorf(errUninitalizedOracleProvider)
+		return nil, errors.New(errUninitalizedOracleProvider)
 	}
 
 	sec, err := vms.Client.GetSecretBundleByName(ctx, secrets.GetSecretBundleByNameRequest{
@@ -229,7 +229,7 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1beta1.
 func decodeBundle(sec secrets.GetSecretBundleByNameResponse) ([]byte, error) {
 	bt, ok := sec.SecretBundleContent.(secrets.Base64SecretBundleContentDetails)
 	if !ok {
-		return nil, fmt.Errorf(errUnexpectedContent)
+		return nil, errors.New(errUnexpectedContent)
 	}
 	payload, err := base64.StdEncoding.DecodeString(*bt.Content)
 	if err != nil {
@@ -266,11 +266,11 @@ func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1beta
 	oracleSpec := storeSpec.Provider.Oracle
 
 	if oracleSpec.Vault == "" {
-		return nil, fmt.Errorf(errMissingVault)
+		return nil, errors.New(errMissingVault)
 	}
 
 	if oracleSpec.Region == "" {
-		return nil, fmt.Errorf(errMissingRegion)
+		return nil, errors.New(errMissingRegion)
 	}
 
 	var (
@@ -412,7 +412,7 @@ func matchesRef(secretSummary vault.SecretSummary, ref esv1beta1.ExternalSecretF
 
 func getSecretData(ctx context.Context, kube kclient.Client, namespace, storeKind string, secretRef esmeta.SecretKeySelector) (string, error) {
 	if secretRef.Name == "" {
-		return "", fmt.Errorf(errORACLECredSecretName)
+		return "", errors.New(errORACLECredSecretName)
 	}
 	secret, err := resolvers.SecretKeyRef(
 		ctx,
@@ -433,7 +433,7 @@ func getUserAuthConfigurationProvider(ctx context.Context, kube kclient.Client,
 		return nil, err
 	}
 	if privateKey == "" {
-		return nil, fmt.Errorf(errMissingPK)
+		return nil, errors.New(errMissingPK)
 	}
 
 	fingerprint, err := getSecretData(ctx, kube, namespace, storeKind, store.Auth.SecretRef.Fingerprint)
@@ -441,15 +441,15 @@ func getUserAuthConfigurationProvider(ctx context.Context, kube kclient.Client,
 		return nil, err
 	}
 	if fingerprint == "" {
-		return nil, fmt.Errorf(errMissingFingerprint)
+		return nil, errors.New(errMissingFingerprint)
 	}
 
 	if store.Auth.User == "" {
-		return nil, fmt.Errorf(errMissingUser)
+		return nil, errors.New(errMissingUser)
 	}
 
 	if store.Auth.Tenancy == "" {
-		return nil, fmt.Errorf(errMissingTenancy)
+		return nil, errors.New(errMissingTenancy)
 	}
 
 	return common.NewRawConfigurationProvider(store.Auth.Tenancy, store.Auth.User, region, fingerprint, privateKey, nil), nil
@@ -500,12 +500,12 @@ func (vms *VaultManagementService) ValidateStore(store esv1beta1.GenericStore) (
 
 	vault := oracleSpec.Vault
 	if vault == "" {
-		return nil, fmt.Errorf("vault cannot be empty")
+		return nil, errors.New("vault cannot be empty")
 	}
 
 	region := oracleSpec.Region
 	if region == "" {
-		return nil, fmt.Errorf("region cannot be empty")
+		return nil, errors.New("region cannot be empty")
 	}
 
 	auth := oracleSpec.Auth
@@ -515,21 +515,21 @@ func (vms *VaultManagementService) ValidateStore(store esv1beta1.GenericStore) (
 
 	user := oracleSpec.Auth.User
 	if user == "" {
-		return nil, fmt.Errorf("user cannot be empty")
+		return nil, errors.New("user cannot be empty")
 	}
 
 	tenant := oracleSpec.Auth.Tenancy
 	if tenant == "" {
-		return nil, fmt.Errorf("tenant cannot be empty")
+		return nil, errors.New("tenant cannot be empty")
 	}
 	privateKey := oracleSpec.Auth.SecretRef.PrivateKey
 
 	if privateKey.Name == "" {
-		return nil, fmt.Errorf("privateKey.name cannot be empty")
+		return nil, errors.New("privateKey.name cannot be empty")
 	}
 
 	if privateKey.Key == "" {
-		return nil, fmt.Errorf("privateKey.key cannot be empty")
+		return nil, errors.New("privateKey.key cannot be empty")
 	}
 
 	err := utils.ValidateSecretSelector(store, privateKey)
@@ -540,11 +540,11 @@ func (vms *VaultManagementService) ValidateStore(store esv1beta1.GenericStore) (
 	fingerprint := oracleSpec.Auth.SecretRef.Fingerprint
 
 	if fingerprint.Name == "" {
-		return nil, fmt.Errorf("fingerprint.name cannot be empty")
+		return nil, errors.New("fingerprint.name cannot be empty")
 	}
 
 	if fingerprint.Key == "" {
-		return nil, fmt.Errorf("fingerprint.key cannot be empty")
+		return nil, errors.New("fingerprint.key cannot be empty")
 	}
 
 	err = utils.ValidateSecretSelector(store, fingerprint)

pkg/provider/oracle/oracle_test.go

@@ -21,6 +21,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"reflect"
 	"strings"
@@ -112,7 +113,7 @@ func makeValidVaultTestCaseCustom(tweaks ...func(smtc *vaultTestCase)) *vaultTes
 // This case can be shared by both GetSecret and GetSecretMap tests.
 // bad case: set apiErr.
 var setAPIErr = func(smtc *vaultTestCase) {
-	smtc.apiErr = fmt.Errorf("oh no")
+	smtc.apiErr = errors.New("oh no")
 	smtc.expectError = "oh no"
 }
 
@@ -264,43 +265,43 @@ func TestValidateStore(t *testing.T) {
 	testCases := []ValidateStoreTestCase{
 		{
 			store: makeSecretStore("", region),
-			err:   fmt.Errorf("vault cannot be empty"),
+			err:   errors.New("vault cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, ""),
-			err:   fmt.Errorf("region cannot be empty"),
+			err:   errors.New("region cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth("", tenant)),
-			err:   fmt.Errorf("user cannot be empty"),
+			err:   errors.New("user cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, "")),
-			err:   fmt.Errorf("tenant cannot be empty"),
+			err:   errors.New("tenant cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey("", secretKey, nil)),
-			err:   fmt.Errorf("privateKey.name cannot be empty"),
+			err:   errors.New("privateKey.name cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey(secretName, secretKey, &namespace)),
-			err:   fmt.Errorf("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey(secretName, "", nil)),
-			err:   fmt.Errorf("privateKey.key cannot be empty"),
+			err:   errors.New("privateKey.key cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey(secretName, secretKey, nil), withFingerprint("", secretKey, nil)),
-			err:   fmt.Errorf("fingerprint.name cannot be empty"),
+			err:   errors.New("fingerprint.name cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey(secretName, secretKey, nil), withFingerprint(secretName, secretKey, &namespace)),
-			err:   fmt.Errorf("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
+			err:   errors.New("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region, withSecretAuth(userOCID, tenant), withPrivateKey(secretName, secretKey, nil), withFingerprint(secretName, "", nil)),
-			err:   fmt.Errorf("fingerprint.key cannot be empty"),
+			err:   errors.New("fingerprint.key cannot be empty"),
 		},
 		{
 			store: makeSecretStore(vaultOCID, region),

pkg/provider/passbolt/passbolt.go

@@ -98,7 +98,7 @@ func (provider *ProviderPassbolt) NewClient(ctx context.Context, store esv1beta1
 }
 
 func (provider *ProviderPassbolt) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf(errNotImplemented)
+	return false, errors.New(errNotImplemented)
 }
 
 func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
@@ -119,11 +119,11 @@ func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1beta1.E
 }
 
 func (provider *ProviderPassbolt) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (provider *ProviderPassbolt) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf(errNotImplemented)
+	return errors.New(errNotImplemented)
 }
 
 func (provider *ProviderPassbolt) Validate() (esv1beta1.ValidationResult, error) {
@@ -131,7 +131,7 @@ func (provider *ProviderPassbolt) Validate() (esv1beta1.ValidationResult, error)
 }
 
 func (provider *ProviderPassbolt) GetSecretMap(_ context.Context, _ esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	return nil, fmt.Errorf(errNotImplemented)
+	return nil, errors.New(errNotImplemented)
 }
 
 func (provider *ProviderPassbolt) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {

pkg/provider/passbolt/passbolt_test.go

@@ -17,7 +17,6 @@ package passbolt
 import (
 	"context"
 	"errors"
-	"fmt"
 	"strings"
 	"testing"
 
@@ -100,21 +99,21 @@ func TestValidateStore(t *testing.T) {
 
 	// missing auth
 	_, err := p.ValidateStore(store)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errPassboltStoreMissingAuth)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errPassboltStoreMissingAuth)))
 
 	// missing password
 	store.Spec.Provider.Passbolt.Auth = &esv1beta1.PassboltAuth{
 		PrivateKeySecretRef: &esmeta.SecretKeySelector{Key: "some-secret", Name: "privatekey"},
 	}
 	_, err = p.ValidateStore(store)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errPassboltStoreMissingAuthPassword)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errPassboltStoreMissingAuthPassword)))
 
 	// missing privateKey
 	store.Spec.Provider.Passbolt.Auth = &esv1beta1.PassboltAuth{
 		PasswordSecretRef: &esmeta.SecretKeySelector{Key: "some-secret", Name: "password"},
 	}
 	_, err = p.ValidateStore(store)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errPassboltStoreMissingAuthPrivateKey)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errPassboltStoreMissingAuthPrivateKey)))
 
 	store.Spec.Provider.Passbolt.Auth = &esv1beta1.PassboltAuth{
 
@@ -124,12 +123,12 @@ func TestValidateStore(t *testing.T) {
 
 	// missing host
 	_, err = p.ValidateStore(store)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errPassboltStoreMissingHost)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errPassboltStoreMissingHost)))
 
 	// not https
 	store.Spec.Provider.Passbolt.Host = "http://passbolt.test"
 	_, err = p.ValidateStore(store)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errPassboltStoreHostSchemeNotHTTPS)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errPassboltStoreHostSchemeNotHTTPS)))
 
 	// spec ok
 	store.Spec.Provider.Passbolt.Host = "https://passbolt.test"
@@ -276,23 +275,23 @@ func TestSecretExists(t *testing.T) {
 	p := &ProviderPassbolt{client: clientMock}
 	g.RegisterTestingT(t)
 	_, err := p.SecretExists(context.TODO(), nil)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errNotImplemented)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errNotImplemented)))
 }
 func TestPushSecret(t *testing.T) {
 	p := &ProviderPassbolt{client: clientMock}
 	g.RegisterTestingT(t)
 	err := p.PushSecret(context.TODO(), nil, nil)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errNotImplemented)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errNotImplemented)))
 }
 func TestDeleteSecret(t *testing.T) {
 	p := &ProviderPassbolt{client: clientMock}
 	g.RegisterTestingT(t)
 	err := p.DeleteSecret(context.TODO(), nil)
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errNotImplemented)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errNotImplemented)))
 }
 func TestGetSecretMap(t *testing.T) {
 	p := &ProviderPassbolt{client: clientMock}
 	g.RegisterTestingT(t)
 	_, err := p.GetSecretMap(context.TODO(), esv1beta1.ExternalSecretDataRemoteRef{})
-	g.Expect(err).To(g.BeEquivalentTo(fmt.Errorf(errNotImplemented)))
+	g.Expect(err).To(g.BeEquivalentTo(errors.New(errNotImplemented)))
 }

pkg/provider/passworddepot/passworddepot.go

@@ -35,7 +35,7 @@ const (
 	errFetchSAKSecret                         = "couldn't find secret on cluster: %w"
 	errMissingSAK                             = "missing credentials while setting auth"
 	errUninitalizedPasswordDepotProvider      = "provider passworddepot is not initialized"
-	errJSONSecretUnmarshal                    = "unable to unmarshal secret: %w"
+	errNotImplemented                         = "%s not implemented"
 )
 
 type Client interface {
@@ -69,7 +69,7 @@ func (c *passwordDepotClient) getAuth(ctx context.Context) (string, string, erro
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.SecretRef.Credentials.Name
 	if credentialsSecretName == "" {
-		return "", "", fmt.Errorf(errPasswordDepotCredSecretName)
+		return "", "", errors.New(errPasswordDepotCredSecretName)
 	}
 	objectKey := types.NamespacedName{
 		Name:      credentialsSecretName,
@@ -78,7 +78,7 @@ func (c *passwordDepotClient) getAuth(ctx context.Context) (string, string, erro
 	// only ClusterStore is allowed to set namespace (and then it's required)
 	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.Credentials.Namespace == nil {
-			return "", "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
+			return "", "", errors.New(errInvalidClusterStoreMissingSAKNamespace)
 		}
 		objectKey.Namespace = *c.store.Auth.SecretRef.Credentials.Namespace
 	}
@@ -91,22 +91,17 @@ func (c *passwordDepotClient) getAuth(ctx context.Context) (string, string, erro
 	username := credentialsSecret.Data["username"]
 	password := credentialsSecret.Data["password"]
 	if (username == nil) || (len(username) == 0 || password == nil) || (len(password) == 0) {
-		return "", "", fmt.Errorf(errMissingSAK)
+		return "", "", errors.New(errMissingSAK)
 	}
 
 	return string(username), string(password), nil
 }
 
-// Function newPasswordDepotProvider returns a reference to a new instance of a 'PasswordDepot' struct.
-func NewPasswordDepotProvider() *PasswordDepot {
-	return &PasswordDepot{}
-}
-
-// Method on PasswordDepot Provider to set up client with credentials and populate projectID.
+// NewClient Method on PasswordDepot Provider to set up client with credentials and populate projectID.
 func (p *PasswordDepot) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.PasswordDepot == nil {
-		return nil, fmt.Errorf("no store type or wrong store type")
+		return nil, errors.New("no store type or wrong store type")
 	}
 	storeSpecPasswordDepot := storeSpec.Provider.PasswordDepot
 
@@ -135,7 +130,7 @@ func (p *PasswordDepot) NewClient(ctx context.Context, store esv1beta1.GenericSt
 }
 
 func (p *PasswordDepot) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, fmt.Errorf(errNotImplemented, "SecretExists")
 }
 
 func (p *PasswordDepot) Validate() (esv1beta1.ValidationResult, error) {
@@ -143,20 +138,20 @@ func (p *PasswordDepot) Validate() (esv1beta1.ValidationResult, error) {
 }
 
 func (p *PasswordDepot) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
-	return fmt.Errorf("not implemented")
+	return fmt.Errorf(errNotImplemented, "PushSecret")
 }
 
 func (p *PasswordDepot) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
-	return nil, fmt.Errorf("GetAllSecrets not implemented")
+	return nil, fmt.Errorf(errNotImplemented, "GetAllSecrets")
 }
 
 func (p *PasswordDepot) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
-	return fmt.Errorf("not implemented")
+	return fmt.Errorf(errNotImplemented, "DeleteSecret")
 }
 
 func (p *PasswordDepot) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(p.client) {
-		return nil, fmt.Errorf(errUninitalizedPasswordDepotProvider)
+		return nil, errors.New(errUninitalizedPasswordDepotProvider)
 	}
 
 	data, err := p.client.GetSecret(p.database, ref.Key)

pkg/provider/scaleway/client.go

@@ -59,7 +59,7 @@ func (r scwSecretRef) String() string {
 func decodeScwSecretRef(key string) (*scwSecretRef, error) {
 	sepIndex := strings.IndexRune(key, ':')
 	if sepIndex < 0 {
-		return nil, fmt.Errorf("invalid secret reference: missing colon ':'")
+		return nil, errors.New("invalid secret reference: missing colon ':'")
 	}
 
 	return &scwSecretRef{
@@ -104,7 +104,7 @@ func (c *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 
 func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
 	if data.GetSecretKey() == "" {
-		return fmt.Errorf("pushing the whole secret is not yet implemented")
+		return errors.New("pushing the whole secret is not yet implemented")
 	}
 
 	value := secret.Data[data.GetSecretKey()]
@@ -128,14 +128,14 @@ func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv
 	case refTypePath:
 		name, path, ok := splitNameAndPath(scwRef.Value)
 		if !ok {
-			return fmt.Errorf("ref is not a path")
+			return errors.New("ref is not a path")
 		}
 		listSecretReq.Name = &name
 		listSecretReq.Path = &path
 		secretName = name
 		secretPath = path
 	default:
-		return fmt.Errorf("secrets can only be pushed by name or path")
+		return errors.New("secrets can only be pushed by name or path")
 	}
 
 	var secretID string
@@ -234,13 +234,13 @@ func (c *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecre
 	case refTypePath:
 		name, path, ok := splitNameAndPath(scwRef.Value)
 		if !ok {
-			return fmt.Errorf("ref is not a path")
+			return errors.New("ref is not a path")
 		}
 		listSecretReq.Name = &name
 		listSecretReq.Path = &path
 
 	default:
-		return fmt.Errorf("secrets can only be deleted by name or path")
+		return errors.New("secrets can only be deleted by name or path")
 	}
 
 	listSecrets, err := c.api.ListSecrets(listSecretReq, scw.WithContext(ctx))
@@ -265,7 +265,7 @@ func (c *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecre
 }
 
 func (c *client) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
-	return false, fmt.Errorf("not implemented")
+	return false, errors.New("not implemented")
 }
 
 func (c *client) Validate() (esv1beta1.ValidationResult, error) {
@@ -408,7 +408,7 @@ func (c *client) accessSecretVersion(ctx context.Context, secretRef *scwSecretRe
 	case refTypePath:
 		name, path, ok := splitNameAndPath(secretRef.Value)
 		if !ok {
-			return nil, fmt.Errorf("ref is not a path")
+			return nil, errors.New("ref is not a path")
 		}
 
 		request.Name = &name

pkg/provider/scaleway/provider.go

@@ -16,6 +16,7 @@ package scaleway
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	smapi "github.com/scaleway/scaleway-sdk-go/api/secret/v1beta1"
@@ -50,7 +51,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 
 	if store.GetKind() == esv1beta1.ClusterSecretStoreKind && doesConfigDependOnNamespace(cfg) {
 		// we are not attached to a specific namespace, but some config values are dependent on it
-		return nil, fmt.Errorf("when using a ClusterSecretStore, namespaces must be explicitly set")
+		return nil, errors.New("when using a ClusterSecretStore, namespaces must be explicitly set")
 	}
 
 	accessKey, err := loadConfigSecret(ctx, cfg.AccessKey, kube, namespace, store.GetKind())
@@ -97,14 +98,14 @@ func loadConfigSecret(ctx context.Context, ref *esv1beta1.ScalewayProviderSecret
 func validateSecretRef(store esv1beta1.GenericStore, ref *esv1beta1.ScalewayProviderSecretRef) error {
 	if ref.SecretRef != nil {
 		if ref.Value != "" {
-			return fmt.Errorf("cannot specify both secret reference and value")
+			return errors.New("cannot specify both secret reference and value")
 		}
 		err := utils.ValidateReferentSecretSelector(store, *ref.SecretRef)
 		if err != nil {
 			return err
 		}
 	} else if ref.Value == "" {
-		return fmt.Errorf("must specify either secret reference or direct value")
+		return errors.New("must specify either secret reference or direct value")
 	}
 
 	return nil
@@ -124,12 +125,12 @@ func doesConfigDependOnNamespace(cfg *esv1beta1.ScalewayProvider) bool {
 
 func getConfig(store esv1beta1.GenericStore) (*esv1beta1.ScalewayProvider, error) {
 	if store == nil {
-		return nil, fmt.Errorf("missing store specification")
+		return nil, errors.New("missing store specification")
 	}
 	storeSpec := store.GetSpec()
 
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Scaleway == nil {
-		return nil, fmt.Errorf("invalid specification for scaleway provider")
+		return nil, errors.New("invalid specification for scaleway provider")
 	}
 	cfg := storeSpec.Provider.Scaleway
 

pkg/provider/senhasegura/provider.go

@@ -16,6 +16,7 @@ package senhasegura
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/url"
 
@@ -77,16 +78,16 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) (admission.Warnin
 
 func validateStore(store esv1beta1.GenericStore) error {
 	if store == nil {
-		return fmt.Errorf(errNilStore)
+		return errors.New(errNilStore)
 	}
 
 	spec := store.GetSpec()
 	if spec == nil {
-		return fmt.Errorf(errMissingStoreSpec)
+		return errors.New(errMissingStoreSpec)
 	}
 
 	if spec.Provider == nil {
-		return fmt.Errorf(errMissingProvider)
+		return errors.New(errMissingProvider)
 	}
 
 	provider := spec.Provider.Senhasegura
@@ -96,21 +97,21 @@ func validateStore(store esv1beta1.GenericStore) error {
 
 	url, err := url.Parse(provider.URL)
 	if err != nil {
-		return fmt.Errorf(errInvalidSenhaseguraURL)
+		return errors.New(errInvalidSenhaseguraURL)
 	}
 
 	// senhasegura doesn't accept requests without SSL/TLS layer for security reasons
 	// DSM doesn't provides gRPC schema, only HTTPS
 	if url.Scheme != "https" {
-		return fmt.Errorf(errInvalidSenhaseguraURLHTTPS)
+		return errors.New(errInvalidSenhaseguraURLHTTPS)
 	}
 
 	if url.Host == "" {
-		return fmt.Errorf(errInvalidSenhaseguraURL)
+		return errors.New(errInvalidSenhaseguraURL)
 	}
 
 	if provider.Auth.ClientID == "" {
-		return fmt.Errorf(errMissingClientID)
+		return errors.New(errMissingClientID)
 	}
 
 	return nil

pkg/provider/vault/auth.go

@@ -155,11 +155,11 @@ func checkToken(ctx context.Context, token util.Token) (bool, error) {
 	// LookupSelfWithContext() calls ParseSecret(), which has several places
 	// that return no data and no error, including when a token is expired.
 	if resp == nil {
-		return false, fmt.Errorf("no response nor error for token lookup")
+		return false, errors.New("no response nor error for token lookup")
 	}
 	t, ok := resp.Data["type"]
 	if !ok {
-		return false, fmt.Errorf("could not assert token type")
+		return false, errors.New("could not assert token type")
 	}
 	tokenType := t.(string)
 	if tokenType == "batch" {
@@ -167,7 +167,7 @@ func checkToken(ctx context.Context, token util.Token) (bool, error) {
 	}
 	ttl, ok := resp.Data["ttl"]
 	if !ok {
-		return false, fmt.Errorf("no TTL found in response")
+		return false, errors.New("no TTL found in response")
 	}
 	ttlInt, err := ttl.(json.Number).Int64()
 	if err != nil {
@@ -175,7 +175,7 @@ func checkToken(ctx context.Context, token util.Token) (bool, error) {
 	}
 	expireTime, ok := resp.Data["expire_time"]
 	if !ok {
-		return false, fmt.Errorf("no expiration time found in response")
+		return false, errors.New("no expiration time found in response")
 	}
 	if ttlInt < 60 && expireTime != nil {
 		// Treat expirable tokens that are about to expire as already expired.

pkg/provider/vault/auth_approle.go

@@ -16,7 +16,7 @@ package vault
 
 import (
 	"context"
-	"fmt"
+	"errors"
 	"strings"
 
 	"github.com/hashicorp/vault/api/auth/approle"
@@ -56,7 +56,7 @@ func (c *client) requestTokenWithAppRoleRef(ctx context.Context, appRole *esv1be
 			return err
 		}
 	} else { // we ran out of ways to get RoleID. return an appropriate error
-		return fmt.Errorf(errInvalidAppRoleID)
+		return errors.New(errInvalidAppRoleID)
 	}
 
 	secretID, err := resolvers.SecretKeyRef(ctx, c.kube, c.storeKind, c.namespace, &appRole.SecretRef)

pkg/provider/vault/auth_jwt.go

@@ -16,6 +16,7 @@ package vault
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -66,7 +67,7 @@ func (c *client) requestTokenWithJwtAuth(ctx context.Context, jwtAuth *esv1beta1
 			*audiences,
 			*expirationSeconds)
 	} else {
-		err = fmt.Errorf(errJwtNoTokenSource)
+		err = errors.New(errJwtNoTokenSource)
 	}
 	if err != nil {
 		return err

pkg/provider/vault/auth_test.go

@@ -134,7 +134,7 @@ func TestSetAuthNamespace(t *testing.T) {
 
 			c, cfg, err := prov.prepareConfig(context.Background(), kube, nil, tc.args.store.Spec.Provider.Vault, nil, "default", store.GetObjectKind().GroupVersionKind().Kind)
 			if err != nil {
-				t.Errorf(err.Error())
+				t.Error(err.Error())
 			}
 
 			client, err := getVaultClient(prov, tc.args.store, cfg)

pkg/provider/vault/client_get.go

@@ -218,7 +218,7 @@ func (c *client) buildMetadataPath(path string) (string, error) {
 		url = fmt.Sprintf("%s/%s", *c.store.Path, path)
 	} else { // KV v2 is used
 		if c.store.Path == nil && !strings.Contains(path, "data") {
-			return "", fmt.Errorf(errPathInvalid)
+			return "", errors.New(errPathInvalid)
 		}
 		if c.store.Path == nil {
 			path = strings.Replace(path, "data", "metadata", 1)

pkg/provider/vault/client_get_test.go

@@ -309,7 +309,7 @@ func TestGetSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf(errNotFound),
+				err: errors.New(errNotFound),
 			},
 		},
 		"FailReadSecretMetadataWrongVersion": {
@@ -324,7 +324,7 @@ func TestGetSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: fmt.Errorf(errUnsupportedMetadataKvVersion),
+				err: errors.New(errUnsupportedMetadataKvVersion),
 			},
 		},
 	}

pkg/provider/vault/client_push.go

@@ -74,7 +74,7 @@ func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv
 		}
 		manager, ok := metadata["managed-by"]
 		if !ok || manager != "external-secrets" {
-			return fmt.Errorf("secret not managed by external-secrets")
+			return errors.New("secret not managed by external-secrets")
 		}
 	}
 	// Remove the metadata map to check the reconcile difference

pkg/provider/vault/client_push_test.go

@@ -85,13 +85,13 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV1).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
-					ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, fmt.Errorf("failed to read")),
+					ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, errors.New("failed to read")),
 					WriteWithContextFn:        fake.ExpectWriteWithContextNoCall(),
 					DeleteWithContextFn:       fake.ExpectDeleteWithContextNoCall(),
 				},
 			},
 			want: want{
-				err: fmt.Errorf("failed to read"),
+				err: errors.New("failed to read"),
 			},
 		},
 		"DeleteSecretFailIfErrorKV2": {
@@ -99,13 +99,13 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
-					ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, fmt.Errorf("failed to read")),
+					ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, errors.New("failed to read")),
 					WriteWithContextFn:        fake.ExpectWriteWithContextNoCall(),
 					DeleteWithContextFn:       fake.ExpectDeleteWithContextNoCall(),
 				},
 			},
 			want: want{
-				err: fmt.Errorf("failed to read"),
+				err: errors.New("failed to read"),
 			},
 		},
 		"DeleteSecretNotManagedKV1": {
@@ -200,11 +200,11 @@ func TestDeleteSecret(t *testing.T) {
 						},
 					}, nil),
 					WriteWithContextFn:  fake.ExpectWriteWithContextNoCall(),
-					DeleteWithContextFn: fake.NewDeleteWithContextFn(nil, fmt.Errorf("failed to delete")),
+					DeleteWithContextFn: fake.NewDeleteWithContextFn(nil, errors.New("failed to delete")),
 				},
 			},
 			want: want{
-				err: fmt.Errorf("failed to delete"),
+				err: errors.New("failed to delete"),
 			},
 		},
 		"DeleteSecretErrorKV2": {
@@ -221,11 +221,11 @@ func TestDeleteSecret(t *testing.T) {
 						},
 					}, nil),
 					WriteWithContextFn:  fake.ExpectWriteWithContextNoCall(),
-					DeleteWithContextFn: fake.NewDeleteWithContextFn(nil, fmt.Errorf("failed to delete")),
+					DeleteWithContextFn: fake.NewDeleteWithContextFn(nil, errors.New("failed to delete")),
 				},
 			},
 			want: want{
-				err: fmt.Errorf("failed to delete"),
+				err: errors.New("failed to delete"),
 			},
 		},
 		"DeleteSecretUpdatePropertyKV1": {