Refactor the PushSecret interface (#2859)

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -105,6 +105,22 @@ type PushSecretData struct {
 	Metadata *apiextensionsv1.JSON `json:"metadata,omitempty"`
 }
 
+func (d PushSecretData) GetMetadata() *apiextensionsv1.JSON {
+	return d.Metadata
+}
+
+func (d PushSecretData) GetSecretKey() string {
+	return d.Match.SecretKey
+}
+
+func (d PushSecretData) GetRemoteKey() string {
+	return d.Match.RemoteRef.RemoteKey
+}
+
+func (d PushSecretData) GetProperty() string {
+	return d.Match.RemoteRef.Property
+}
+
 // PushSecretConditionType indicates the condition of the PushSecret.
 type PushSecretConditionType string
 

apis/externalsecrets/v1beta1/fakes/pushremoteref.go

@@ -103,4 +103,4 @@ func (fake *PushRemoteRef) recordInvocation(key string, args []interface{}) {
 	fake.invocations[key] = append(fake.invocations[key], args)
 }
 
-var _ v1beta1.PushRemoteRef = new(PushRemoteRef)
+var _ v1beta1.PushSecretRemoteRef = new(PushRemoteRef)

apis/externalsecrets/v1beta1/provider.go

@@ -18,7 +18,6 @@ import (
 	"context"
 
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -70,10 +69,10 @@ type SecretsClient interface {
 	GetSecret(ctx context.Context, ref ExternalSecretDataRemoteRef) ([]byte, error)
 
 	// PushSecret will write a single secret into the provider
-	PushSecret(ctx context.Context, value []byte, typed corev1.SecretType, metadata *apiextensionsv1.JSON, remoteRef PushRemoteRef) error
+	PushSecret(ctx context.Context, secret *corev1.Secret, data PushSecretData) error
 
 	// DeleteSecret will delete the secret from a provider
-	DeleteSecret(ctx context.Context, remoteRef PushRemoteRef) error
+	DeleteSecret(ctx context.Context, remoteRef PushSecretRemoteRef) error
 
 	// Validate checks if the client is configured correctly
 	// and is able to retrieve secrets from the provider.

apis/externalsecrets/v1beta1/provider_schema_test.go

@@ -19,7 +19,6 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -37,12 +36,12 @@ func (p *PP) NewClient(_ context.Context, _ GenericStore, _ client.Client, _ str
 }
 
 // PushSecret writes a single secret into a provider.
-func (p *PP) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ PushRemoteRef) error {
+func (p *PP) PushSecret(_ context.Context, _ *corev1.Secret, _ PushSecretData) error {
 	return nil
 }
 
 // DeleteSecret deletes a single secret from a provider.
-func (p *PP) DeleteSecret(_ context.Context, _ PushRemoteRef) error {
+func (p *PP) DeleteSecret(_ context.Context, _ PushSecretRemoteRef) error {
 	return nil
 }
 

apis/externalsecrets/v1beta1/pushsecret_interfaces.go

@@ -13,13 +13,28 @@ limitations under the License.
 */
 package v1beta1
 
+import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// PushSecretData is an interface to allow using v1alpha1.PushSecretData content in Provider registered in v1beta1.
+type PushSecretData interface {
+	GetMetadata() *apiextensionsv1.JSON
+	GetSecretKey() string
+	GetRemoteKey() string
+	GetProperty() string
+}
+
 // +kubebuilder:object:root=false
 // +kubebuilder:object:generate:false
 // +k8s:deepcopy-gen:interfaces=nil
 // +k8s:deepcopy-gen=nil
 
-// This interface is to allow using v1alpha1 content in Provider registered in v1beta1.
-type PushRemoteRef interface {
+// PushSecretRemoteRef is an interface to allow using v1alpha1.PushSecretRemoteRef in Provider registered in v1beta1.
+type PushSecretRemoteRef interface {
 	GetRemoteKey() string
 	GetProperty() string
 }

docs/api/spec.md

@@ -4664,10 +4664,15 @@ External Secrets meta/v1.SecretKeySelector
 <p>
 <p>Provider is a common interface for interacting with secret backends.</p>
 </p>
-<h3 id="external-secrets.io/v1beta1.PushRemoteRef">PushRemoteRef
+<h3 id="external-secrets.io/v1beta1.PushSecretData">PushSecretData
 </h3>
 <p>
-<p>This interface is to allow using v1alpha1 content in Provider registered in v1beta1.</p>
+<p>PushSecretData is an interface to allow using v1alpha1.PushSecretData content in Provider registered in v1beta1.</p>
+</p>
+<h3 id="external-secrets.io/v1beta1.PushSecretRemoteRef">PushSecretRemoteRef
+</h3>
+<p>
+<p>PushSecretRemoteRef is an interface to allow using v1alpha1.PushSecretRemoteRef in Provider registered in v1beta1.</p>
 </p>
 <h3 id="external-secrets.io/v1beta1.ScalewayProvider">ScalewayProvider
 </h3>

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -275,21 +275,20 @@ func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi
 			Name: store.GetName(),
 			Kind: ref.Kind,
 		}
-		client, err := mgr.Get(ctx, storeRef, ps.GetNamespace(), nil)
+		secretClient, err := mgr.Get(ctx, storeRef, ps.GetNamespace(), nil)
 		if err != nil {
 			return out, fmt.Errorf("could not get secrets client for store %v: %w", store.GetName(), err)
 		}
 		for _, data := range ps.Spec.Data {
-			secretValue, ok := secret.Data[data.Match.SecretKey]
-			if !ok {
+			if _, ok := secret.Data[data.Match.SecretKey]; !ok {
 				return out, fmt.Errorf("secret key %v does not exist", data.Match.SecretKey)
 			}
 
-			err := client.PushSecret(ctx, secretValue, secret.Type, data.Metadata, data.Match.RemoteRef)
+			err := secretClient.PushSecret(ctx, secret, data)
 			if err != nil {
 				return out, fmt.Errorf(errSetSecretFailed, data.Match.SecretKey, store.GetName(), err)
 			}
-			out[storeKey][statusRef(data.Match.RemoteRef)] = data
+			out[storeKey][statusRef(data)] = data
 		}
 	}
 	return out, nil
@@ -423,7 +422,7 @@ func getPushSecretCondition(status esapi.PushSecretStatus, condType esapi.PushSe
 	return nil
 }
 
-func statusRef(ref v1beta1.PushRemoteRef) string {
+func statusRef(ref v1beta1.PushSecretData) string {
 	if ref.GetProperty() != "" {
 		return ref.GetRemoteKey() + "/" + ref.GetProperty()
 	}

pkg/controllers/secretstore/client_manager_test.go

@@ -340,11 +340,11 @@ type MockFakeClient struct {
 	closeCalled bool
 }
 
-func (c *MockFakeClient) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (c *MockFakeClient) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return nil
 }
 
-func (c *MockFakeClient) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (c *MockFakeClient) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return nil
 }
 

pkg/provider/akeyless/akeyless.go

@@ -30,7 +30,6 @@ import (
 	"github.com/akeylesslabs/akeyless-go/v3"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -228,11 +227,11 @@ func (a *Akeyless) Validate() (esv1beta1.ValidationResult, error) {
 	return esv1beta1.ValidationResultReady, nil
 }
 
-func (a *Akeyless) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (a *Akeyless) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 
-func (a *Akeyless) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (a *Akeyless) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/alibaba/kms.go

@@ -26,7 +26,6 @@ import (
 	"github.com/avast/retry-go/v4"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -59,11 +58,11 @@ type SMInterface interface {
 	Endpoint() string
 }
 
-func (kms *KeyManagementService) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (kms *KeyManagementService) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 
-func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/aws/parameterstore/parameterstore.go

@@ -27,7 +27,6 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	utilpointer "k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -95,7 +94,7 @@ func (pm *ParameterStore) getTagsByName(ctx aws.Context, ref *ssm.GetParameterOu
 	return data.TagList, nil
 }
 
-func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
 	secretValue := ssm.GetParameterInput{
 		Name: &secretName,
@@ -132,12 +131,13 @@ func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.
 	return nil
 }
 
-func (pm *ParameterStore) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
+func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
 	parameterType := "String"
 	overwrite := true
 
+	value := secret.Data[data.GetSecretKey()]
 	stringValue := string(value)
-	secretName := remoteRef.GetRemoteKey()
+	secretName := data.GetRemoteKey()
 
 	secretRequest := ssm.PutParameterInput{
 		Name:      &secretName,

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -24,11 +24,13 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/google/go-cmp/cmp"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakeps "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
+	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 const (
@@ -47,18 +49,6 @@ type parameterstoreTestCase struct {
 	expectedData   map[string][]byte
 }
 
-type fakeRef struct {
-	key string
-}
-
-func (f fakeRef) GetRemoteKey() string {
-	return f.key
-}
-
-func (f fakeRef) GetProperty() string {
-	return ""
-}
-
 func makeValidParameterStoreTestCase() *parameterstoreTestCase {
 	return &parameterstoreTestCase{
 		fakeClient:     &fakeps.Client{},
@@ -247,7 +237,7 @@ func TestDeleteSecret(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "fake-key"}
+			ref := fake.PushSecretData{RemoteKey: "fake-key"}
 			ps := ParameterStore{
 				client: &tc.args.client,
 			}
@@ -273,7 +263,13 @@ func TestDeleteSecret(t *testing.T) {
 func TestPushSecret(t *testing.T) {
 	invalidParameters := errors.New(ssm.ErrCodeInvalidParameters)
 	alreadyExistsError := errors.New(ssm.ErrCodeAlreadyExistsException)
+	fakeSecretKey := "fakeSecretKey"
 	fakeValue := "fakeValue"
+	fakeSecret := &corev1.Secret{
+		Data: map[string][]byte{
+			fakeSecretKey: []byte(fakeValue),
+		},
+	}
 
 	managedByESO := ssm.Tag{
 		Key:   &managedBy,
@@ -431,11 +427,11 @@ func TestPushSecret(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "fake-key"}
+			psd := fake.PushSecretData{SecretKey: "fake-secret-key", RemoteKey: "fake-key"}
 			ps := ParameterStore{
 				client: &tc.args.client,
 			}
-			err := ps.PushSecret(context.TODO(), []byte(fakeValue), "", nil, ref)
+			err := ps.PushSecret(context.TODO(), fakeSecret, psd)
 
 			// Error nil XOR tc.want.err nil
 			if ((err == nil) || (tc.want.err == nil)) && !((err == nil) && (tc.want.err == nil)) {

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -32,7 +32,6 @@ import (
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	utilpointer "k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -157,7 +156,7 @@ func (sm *SecretsManager) fetch(ctx context.Context, ref esv1beta1.ExternalSecre
 	return secretOut, nil
 }
 
-func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
 	secretValue := awssm.GetSecretValueInput{
 		SecretId: &secretName,
@@ -193,8 +192,9 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1beta1.
 	return err
 }
 
-func (sm *SecretsManager) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	secretName := remoteRef.GetRemoteKey()
+func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1beta1.PushSecretData) error {
+	secretName := psd.GetRemoteKey()
+	value := secret.Data[psd.GetSecretKey()]
 	managedBy := managedBy
 	externalSecrets := externalSecrets
 	externalSecretsTag := []*awssm.Tag{
@@ -215,12 +215,12 @@ func (sm *SecretsManager) PushSecret(ctx context.Context, value []byte, _ corev1
 	awsSecret, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMGetSecretValue, err)
 
-	if remoteRef.GetProperty() != "" {
+	if psd.GetProperty() != "" {
 		currentSecret := sm.retrievePayload(awsSecret)
 		if currentSecret != "" && !gjson.Valid(currentSecret) {
-			return errors.New("PushSecret for aws secrets manager with a remoteRef property requires a json secret")
+			return errors.New("PushSecret for aws secrets manager with a pushSecretData property requires a json secret")
 		}
-		value, _ = sjson.SetBytes([]byte(currentSecret), remoteRef.GetProperty(), value)
+		value, _ = sjson.SetBytes([]byte(currentSecret), psd.GetProperty(), value)
 	}
 
 	var aerr awserr.Error

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -25,11 +25,13 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/google/go-cmp/cmp"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
+	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 type secretsManagerTestCase struct {
@@ -365,23 +367,16 @@ func ErrorContains(out error, want string) bool {
 	return strings.Contains(out.Error(), want)
 }
 
-type fakeRef struct {
-	key      string
-	property string
-}
-
-func (f fakeRef) GetRemoteKey() string {
-	return f.key
-}
-
-func (f fakeRef) GetProperty() string {
-	return f.property
-}
-
 func TestSetSecret(t *testing.T) {
 	managedBy := managedBy
 	notManagedBy := "not-managed-by"
+	secretKey := "fake-secret-key"
 	secretValue := []byte("fake-value")
+	fakeSecret := &corev1.Secret{
+		Data: map[string][]byte{
+			secretKey: secretValue,
+		},
+	}
 	externalSecrets := externalSecrets
 	noPermission := errors.New("no permission")
 	arn := "arn:aws:secretsmanager:us-east-1:702902267788:secret:foo-bar5-Robbgh"
@@ -461,13 +456,13 @@ func TestSetSecret(t *testing.T) {
 		ARN: &arn,
 	}
 
-	remoteRefWithoutProperty := fakeRef{key: "fake-key", property: ""}
-	remoteRefWithProperty := fakeRef{key: "fake-key", property: "other-fake-property"}
+	pushSecretDataWithoutProperty := fake.PushSecretData{SecretKey: secretKey, RemoteKey: "fake-key", Property: ""}
+	pushSecretDataWithProperty := fake.PushSecretData{SecretKey: secretKey, RemoteKey: "fake-key", Property: "other-fake-property"}
 
 	type args struct {
-		store     *esv1beta1.AWSProvider
-		client    fakesm.Client
-		remoteRef fakeRef
+		store          *esv1beta1.AWSProvider
+		client         fakesm.Client
+		pushSecretData fake.PushSecretData
 	}
 
 	type want struct {
@@ -488,7 +483,7 @@ func TestSetSecret(t *testing.T) {
 					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: nil,
@@ -502,28 +497,28 @@ func TestSetSecret(t *testing.T) {
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
 					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"SetSecretWithPropertySucceedsWithNewSecret": {
-			reason: "if a new secret is pushed to aws sm and a remoteRef property is specified, create a json secret with the remoteRef property as a key",
+			reason: "if a new secret is pushed to aws sm and a pushSecretData property is specified, create a json secret with the pushSecretData property as a key",
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
 					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil, []byte(`{"other-fake-property":"fake-value"}`)),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"SetSecretWithPropertySucceedsWithExistingSecretAndNewPropertyBinary": {
-			reason: "when a remoteRef property is specified, this property will be added to the sm secret if it is currently absent (sm secret is binary)",
+			reason: "when a pushSecretData property is specified, this property will be added to the sm secret if it is currently absent (sm secret is binary)",
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
@@ -534,7 +529,7 @@ func TestSetSecret(t *testing.T) {
 						Version:      &defaultUpdatedVersion,
 					}),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: nil,
@@ -555,7 +550,7 @@ func TestSetSecret(t *testing.T) {
 						Version:      &randomUUIDVersionIncremented,
 					}),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: nil,
@@ -576,7 +571,7 @@ func TestSetSecret(t *testing.T) {
 						Version:      &initialVersion,
 					}),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: fmt.Errorf("expected secret version in AWS SSM to be a UUID but got '%s'", unparsableVersion),
@@ -597,14 +592,14 @@ func TestSetSecret(t *testing.T) {
 						Version:      &initialVersion,
 					}),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"SetSecretWithPropertySucceedsWithExistingSecretAndNewPropertyString": {
-			reason: "when a remoteRef property is specified, this property will be added to the sm secret if it is currently absent (sm secret is a string)",
+			reason: "when a pushSecretData property is specified, this property will be added to the sm secret if it is currently absent (sm secret is a string)",
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
@@ -615,14 +610,14 @@ func TestSetSecret(t *testing.T) {
 						Version:      &defaultUpdatedVersion,
 					}),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"SetSecretWithPropertySucceedsWithExistingSecretAndNewPropertyWithDot": {
-			reason: "when a remoteRef property is specified, this property will be added to the sm secret if it is currently absent (remoteRef property is a sub-object)",
+			reason: "when a pushSecretData property is specified, this property will be added to the sm secret if it is currently absent (pushSecretData property is a sub-object)",
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
@@ -633,24 +628,24 @@ func TestSetSecret(t *testing.T) {
 						Version:      &defaultUpdatedVersion,
 					}),
 				},
-				remoteRef: fakeRef{key: "fake-key", property: "fake-property.other-fake-property"},
+				pushSecretData: fake.PushSecretData{SecretKey: secretKey, RemoteKey: "fake-key", Property: "fake-property.other-fake-property"},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"SetSecretWithPropertyFailsExistingNonJsonSecret": {
-			reason: "setting a remoteRef property is only supported for json secrets",
+			reason: "setting a pushSecretData property is only supported for json secrets",
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{s: `non-json-secret`}), nil),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
 				},
-				remoteRef: remoteRefWithProperty,
+				pushSecretData: pushSecretDataWithProperty,
 			},
 			want: want{
-				err: errors.New("PushSecret for aws secrets manager with a remoteRef property requires a json secret"),
+				err: errors.New("PushSecret for aws secrets manager with a pushSecretData property requires a json secret"),
 			},
 		},
 		"SetSecretCreateSecretFails": {
@@ -661,7 +656,7 @@ func TestSetSecret(t *testing.T) {
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
 					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(nil, noPermission),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: noPermission,
@@ -674,7 +669,7 @@ func TestSetSecret(t *testing.T) {
 				client: fakesm.Client{
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, noPermission),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: noPermission,
@@ -688,7 +683,7 @@ func TestSetSecret(t *testing.T) {
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput2, nil),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: nil,
@@ -703,7 +698,7 @@ func TestSetSecret(t *testing.T) {
 					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(nil, noPermission),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: noPermission,
@@ -716,7 +711,7 @@ func TestSetSecret(t *testing.T) {
 				client: fakesm.Client{
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretWrongErr),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: &getSecretWrongErr,
@@ -730,7 +725,7 @@ func TestSetSecret(t *testing.T) {
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(nil, noPermission),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: noPermission,
@@ -744,7 +739,7 @@ func TestSetSecret(t *testing.T) {
 					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
 					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutputFaulty, nil),
 				},
-				remoteRef: remoteRefWithoutProperty,
+				pushSecretData: pushSecretDataWithoutProperty,
 			},
 			want: want{
 				err: fmt.Errorf("secret not managed by external-secrets"),
@@ -757,7 +752,7 @@ func TestSetSecret(t *testing.T) {
 			sm := SecretsManager{
 				client: &tc.args.client,
 			}
-			err := sm.PushSecret(context.Background(), []byte("fake-value"), "", nil, tc.args.remoteRef)
+			err := sm.PushSecret(context.Background(), fakeSecret, tc.args.pushSecretData)
 
 			// Error nil XOR tc.want.err nil
 			if ((err == nil) || (tc.want.err == nil)) && !((err == nil) && (tc.want.err == nil)) {
@@ -897,7 +892,7 @@ func TestDeleteSecret(t *testing.T) {
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "fake-key"}
+			ref := fake.PushSecretData{RemoteKey: "fake-key"}
 			sm := SecretsManager{
 				client: &tc.args.client,
 			}

pkg/provider/azure/keyvault/keyvault.go

@@ -39,7 +39,6 @@ import (
 	"golang.org/x/crypto/sha3"
 	authv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
@@ -296,7 +295,7 @@ func (a *Azure) deleteKeyVaultCertificate(ctx context.Context, certName string)
 	return nil
 }
 
-func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
 	switch objectType {
 	case defaultObjType:
@@ -497,8 +496,9 @@ func (a *Azure) setKeyVaultKey(ctx context.Context, secretName string, value []b
 }
 
 // PushSecret stores secrets into a Key vault instance.
-func (a *Azure) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
+func (a *Azure) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: data.GetRemoteKey()})
+	value := secret.Data[data.GetSecretKey()]
 	switch objectType {
 	case defaultObjType:
 		return a.setKeyVaultSecret(ctx, secretName, value)

pkg/provider/conjur/provider.go

@@ -23,7 +23,6 @@ import (
 	"github.com/cyberark/conjur-api-go/conjurapi"
 	"github.com/cyberark/conjur-api-go/conjurapi/authn"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -172,12 +171,12 @@ func (p *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 }
 
 // PushSecret will write a single secret into the provider.
-func (p *Client) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (p *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	// NOT IMPLEMENTED
 	return nil
 }
 
-func (p *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (p *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	// NOT IMPLEMENTED
 	return nil
 }

pkg/provider/delinea/client.go

@@ -25,7 +25,6 @@ import (
 	"github.com/DelineaXPM/dsv-sdk-go/v2/vault"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
@@ -72,11 +71,11 @@ func (c *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 	return []byte(val.String()), nil
 }
 
-func (c *client) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (c *client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return errors.New("pushing secrets is not supported by Delinea DevOps Secrets Vault")
 }
 
-func (c *client) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (c *client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return errors.New("deleting secrets is not supported by Delinea DevOps Secrets Vault")
 }
 

pkg/provider/doppler/client.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -116,11 +115,11 @@ func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
 	return esv1beta1.ValidationResultReady, nil
 }
 
-func (c *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (c *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
-func (c *Client) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/fake/fake.go

@@ -21,7 +21,6 @@ import (
 
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -107,14 +106,15 @@ func getProvider(store esv1beta1.GenericStore) (*esv1beta1.FakeProvider, error)
 	return spc.Provider.Fake, nil
 }
 
-func (p *Provider) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (p *Provider) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return nil
 }
 
-func (p *Provider) PushSecret(_ context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	currentData, ok := p.config[remoteRef.GetRemoteKey()]
+func (p *Provider) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	value := secret.Data[data.GetSecretKey()]
+	currentData, ok := p.config[data.GetRemoteKey()]
 	if !ok {
-		p.config[remoteRef.GetRemoteKey()] = &Data{
+		p.config[data.GetRemoteKey()] = &Data{
 			Value:  string(value),
 			Origin: FakeSetSecret,
 		}

pkg/provider/fake/fake_test.go

@@ -22,11 +22,12 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 func TestNewClient(t *testing.T) {
@@ -332,6 +333,7 @@ type setSecretTestCase struct {
 func TestSetSecret(t *testing.T) {
 	gomega.RegisterTestingT(t)
 	p := &Provider{}
+	secretKey := "secret-key"
 	tbl := []setSecretTestCase{
 		{
 			name:       "return nil if no existing secret",
@@ -367,7 +369,13 @@ func TestSetSecret(t *testing.T) {
 				},
 			}, nil, "")
 			gomega.Expect(err).ToNot(gomega.HaveOccurred())
-			err = cl.PushSecret(context.TODO(), []byte(row.expValue), "", nil, esv1alpha1.PushSecretRemoteRef{
+			secret := &corev1.Secret{
+				Data: map[string][]byte{
+					secretKey: []byte(row.expValue),
+				},
+			}
+			err = cl.PushSecret(context.TODO(), secret, testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: row.requestKey,
 			})
 			if row.expErr != "" {

pkg/provider/gcp/secretmanager/client.go

@@ -31,7 +31,6 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -62,7 +61,7 @@ const (
 	errInvalidStoreSpec       = "invalid store spec"
 	errInvalidStoreProv       = "invalid store provider"
 	errInvalidGCPProv         = "invalid gcp secrets manager provider"
-	errInvalidAuthSecretRef   = "invalid auth secret ref: %w"
+	errInvalidAuthSecretRef   = "invalid auth secret data: %w"
 	errInvalidWISARef         = "invalid workload identity service account reference: %w"
 	errUnexpectedFindOperator = "unexpected find operator"
 
@@ -96,7 +95,7 @@ type GoogleSecretManagerClient interface {
 
 var log = ctrl.Log.WithName("provider").WithName("gcp").WithName("secretsmanager")
 
-func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
 		Name: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
 	})
@@ -131,8 +130,9 @@ func parseError(err error) error {
 }
 
 // PushSecret pushes a kubernetes secret key into gcp provider Secret.
-func (c *Client) PushSecret(ctx context.Context, payload []byte, _ corev1.SecretType, metadata *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	secretName := fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey())
+func (c *Client) PushSecret(ctx context.Context, secret *corev1.Secret, pushSecretData esv1beta1.PushSecretData) error {
+	payload := secret.Data[pushSecretData.GetSecretKey()]
+	secretName := fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, pushSecretData.GetRemoteKey())
 	gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
 		Name: secretName,
 	})
@@ -145,7 +145,7 @@ func (c *Client) PushSecret(ctx context.Context, payload []byte, _ corev1.Secret
 
 		gcpSecret, err = c.smClient.CreateSecret(ctx, &secretmanagerpb.CreateSecretRequest{
 			Parent:   fmt.Sprintf("projects/%s", c.store.ProjectID),
-			SecretId: remoteRef.GetRemoteKey(),
+			SecretId: pushSecretData.GetRemoteKey(),
 			Secret: &secretmanagerpb.Secret{
 				Labels: map[string]string{
 					managedByKey: managedByValue,
@@ -163,7 +163,7 @@ func (c *Client) PushSecret(ctx context.Context, payload []byte, _ corev1.Secret
 		}
 	}
 
-	builder, err := newPushSecretBuilder(payload, metadata, remoteRef)
+	builder, err := newPushSecretBuilder(payload, pushSecretData)
 	if err != nil {
 		return err
 	}
@@ -221,7 +221,7 @@ func (c *Client) PushSecret(ctx context.Context, payload []byte, _ corev1.Secret
 	}
 
 	addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
-		Parent: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, remoteRef.GetRemoteKey()),
+		Parent: fmt.Sprintf("projects/%s/secrets/%s", c.store.ProjectID, pushSecretData.GetRemoteKey()),
 		Payload: &secretmanagerpb.SecretPayload{
 			Data: data,
 		},

pkg/provider/gcp/secretmanager/client_test.go

@@ -26,13 +26,14 @@ import (
 	"github.com/googleapis/gax-go/v2/apierror"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	pointer "k8s.io/utils/ptr"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager/fake"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 type secretManagerTestCase struct {
@@ -143,7 +144,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
 		smtc.expectedSecret = "Tom"
 	}
 
-	// good case: ref with
+	// good case: data with
 	setCustomRef := func(smtc *secretManagerTestCase) {
 		smtc.ref = &esv1beta1.ExternalSecretDataRemoteRef{
 			Key:      "/baz",
@@ -397,18 +398,6 @@ func TestGetSecret_MetadataPolicyFetch(t *testing.T) {
 	}
 }
 
-type fakeRef struct {
-	key string
-}
-
-func (f fakeRef) GetRemoteKey() string {
-	return f.key
-}
-
-func (f fakeRef) GetProperty() string {
-	return ""
-}
-
 func TestDeleteSecret(t *testing.T) {
 	fErr := status.Error(codes.NotFound, "failed")
 	notFoundError, _ := apierror.FromError(fErr)
@@ -493,7 +482,7 @@ func TestDeleteSecret(t *testing.T) {
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "fake-key"}
+			ref := testingfake.PushSecretData{RemoteKey: "fake-key"}
 			client := Client{
 				smClient: &tc.args.client,
 				store: &esv1beta1.GCPSMProvider{
@@ -519,8 +508,8 @@ func TestDeleteSecret(t *testing.T) {
 }
 
 func TestPushSecret(t *testing.T) {
-	ref := fakeRef{key: "/baz"}
-
+	secretKey := "secret-key"
+	remoteKey := "/baz"
 	notFoundError := status.Error(codes.NotFound, "failed")
 	notFoundError, _ = apierror.FromError(notFoundError)
 
@@ -528,7 +517,7 @@ func TestPushSecret(t *testing.T) {
 	canceledError, _ = apierror.FromError(canceledError)
 
 	APIerror := fmt.Errorf("API Error")
-	labelError := fmt.Errorf("secret %v is not managed by external secrets", ref.GetRemoteKey())
+	labelError := fmt.Errorf("secret %v is not managed by external secrets", remoteKey)
 
 	secret := secretmanagerpb.Secret{
 		Name: "projects/default/secrets/baz",
@@ -759,7 +748,14 @@ func TestPushSecret(t *testing.T) {
 					ProjectID: smtc.projectID,
 				},
 			}
-			err := c.PushSecret(context.Background(), []byte("fake-value"), "", tc.args.Metadata, ref)
+			s := &corev1.Secret{Data: map[string][]byte{secretKey: []byte("fake-value")}}
+			data := testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Metadata:  tc.args.Metadata,
+				RemoteKey: "/baz",
+			}
+
+			err := c.PushSecret(context.Background(), s, data)
 			if err != nil {
 				if tc.want.err == nil {
 					t.Errorf("received an unexpected error: %v", err)
@@ -779,6 +775,7 @@ func TestPushSecret(t *testing.T) {
 }
 
 func TestPushSecret_Property(t *testing.T) {
+	secretKey := "secret-key"
 	defaultAddSecretVersionMockReturn := func(gotPayload, expectedPayload string) (*secretmanagerpb.SecretVersion, error) {
 		if gotPayload != expectedPayload {
 			t.Fatalf("payload does not match: got %s, expected: %s", gotPayload, expectedPayload)
@@ -790,7 +787,7 @@ func TestPushSecret_Property(t *testing.T) {
 	tests := []struct {
 		desc                          string
 		payload                       string
-		ref                           esv1beta1.PushRemoteRef
+		data                          testingfake.PushSecretData
 		getSecretMockReturn           fakesm.SecretMockReturn
 		createSecretMockReturn        fakesm.SecretMockReturn
 		updateSecretMockReturn        fakesm.SecretMockReturn
@@ -802,8 +799,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Add new key value paris",
 			payload: "testValue2",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey2",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey2",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{
@@ -825,8 +823,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Update existing value",
 			payload: "testValue2",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey1.testKey2",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey1.testKey2",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{
@@ -848,8 +847,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Secret not found",
 			payload: "testValue2",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey1.testKey3",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey1.testKey3",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{},
@@ -873,8 +873,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Secret version is not found",
 			payload: "testValue1",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey1",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey1",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{
@@ -890,8 +891,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Secret is not managed by the controller",
 			payload: "testValue1",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey1.testKey2",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey1.testKey2",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{},
@@ -914,8 +916,9 @@ func TestPushSecret_Property(t *testing.T) {
 		{
 			desc:    "Payload is the same with the existing one",
 			payload: "testValue1",
-			ref: esv1alpha1.PushSecretRemoteRef{
-				Property: "testKey1.testKey2",
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				Property:  "testKey1.testKey2",
 			},
 			getSecretMockReturn: fakesm.SecretMockReturn{
 				Secret: &secretmanagerpb.Secret{
@@ -953,8 +956,8 @@ func TestPushSecret_Property(t *testing.T) {
 				smClient: smClient,
 				store:    &esv1beta1.GCPSMProvider{},
 			}
-
-			err := client.PushSecret(context.Background(), []byte(tc.payload), "", nil, tc.ref)
+			s := &corev1.Secret{Data: map[string][]byte{secretKey: []byte(tc.payload)}}
+			err := client.PushSecret(context.Background(), s, tc.data)
 			if err != nil {
 				if tc.expectedErr == "" {
 					t.Fatalf("PushSecret returns unexpected error: %v", err)
@@ -1011,7 +1014,7 @@ func TestGetSecretMap(t *testing.T) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
 		}
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
-			t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedData, out)
+			t.Errorf("[%d] unexpected secret pushSecretData: expected %#v, got %#v", k, v.expectedData, out)
 		}
 	}
 }
@@ -1041,7 +1044,7 @@ func TestValidateStore(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name:    "invalid secret ref",
+			name:    "invalid secret data",
 			wantErr: true,
 			args: args{
 				auth: esv1beta1.GCPSMAuth{
@@ -1055,7 +1058,7 @@ func TestValidateStore(t *testing.T) {
 			},
 		},
 		{
-			name:    "invalid wi sa ref",
+			name:    "invalid wi sa data",
 			wantErr: true,
 			args: args{
 				auth: esv1beta1.GCPSMAuth{

pkg/provider/gcp/secretmanager/push_secret.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 
 	"github.com/tidwall/sjson"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
@@ -30,22 +29,21 @@ type Metadata struct {
 	Labels      map[string]string `json:"labels"`
 }
 
-func newPushSecretBuilder(payload []byte, metadata *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) (pushSecretBuilder, error) {
-	if remoteRef.GetProperty() == "" {
+func newPushSecretBuilder(payload []byte, data esv1beta1.PushSecretData) (pushSecretBuilder, error) {
+	if data.GetProperty() == "" {
 		return &psBuilder{
-			payload:   payload,
-			metadata:  metadata,
-			remoteRef: remoteRef,
+			payload:        payload,
+			pushSecretData: data,
 		}, nil
 	}
 
-	if metadata != nil {
+	if data.GetMetadata() != nil {
 		return nil, errors.New("cannot specify metadata and property at the same time")
 	}
 
 	return &propertyPSBuilder{
-		payload:   payload,
-		remoteRef: remoteRef,
+		payload:        payload,
+		pushSecretData: data,
 	}, nil
 }
 
@@ -56,19 +54,18 @@ type pushSecretBuilder interface {
 }
 
 type psBuilder struct {
-	payload   []byte
-	metadata  *apiextensionsv1.JSON
-	remoteRef esv1beta1.PushRemoteRef
+	payload        []byte
+	pushSecretData esv1beta1.PushSecretData
 }
 
 func (b *psBuilder) buildMetadata(_, labels map[string]string) (map[string]string, map[string]string, error) {
 	if manager, ok := labels[managedByKey]; !ok || manager != managedByValue {
-		return nil, nil, fmt.Errorf("secret %v is not managed by external secrets", b.remoteRef.GetRemoteKey())
+		return nil, nil, fmt.Errorf("secret %v is not managed by external secrets", b.pushSecretData.GetRemoteKey())
 	}
 
 	var metadata Metadata
-	if b.metadata != nil {
-		decoder := json.NewDecoder(bytes.NewReader(b.metadata.Raw))
+	if b.pushSecretData.GetMetadata() != nil {
+		decoder := json.NewDecoder(bytes.NewReader(b.pushSecretData.GetMetadata().Raw))
 		// Want to return an error if unknown fields exist
 		decoder.DisallowUnknownFields()
 
@@ -99,8 +96,8 @@ func (b *psBuilder) buildData(_ []byte) ([]byte, error) {
 }
 
 type propertyPSBuilder struct {
-	payload   []byte
-	remoteRef esv1beta1.PushRemoteRef
+	payload        []byte
+	pushSecretData esv1beta1.PushSecretData
 }
 
 func (b *propertyPSBuilder) buildMetadata(annotations, labels map[string]string) (map[string]string, map[string]string, error) {
@@ -122,7 +119,7 @@ func (b *propertyPSBuilder) needUpdate(original []byte) bool {
 		return true
 	}
 
-	val := getDataByProperty(original, b.remoteRef.GetProperty())
+	val := getDataByProperty(original, b.pushSecretData.GetProperty())
 	return !val.Exists() || val.String() != string(b.payload)
 }
 
@@ -131,5 +128,5 @@ func (b *propertyPSBuilder) buildData(original []byte) ([]byte, error) {
 	if original != nil {
 		base = original
 	}
-	return sjson.SetBytes(base, b.remoteRef.GetProperty(), b.payload)
+	return sjson.SetBytes(base, b.pushSecretData.GetProperty(), b.payload)
 }

pkg/provider/gitlab/gitlab.go

@@ -25,7 +25,6 @@ import (
 	"github.com/tidwall/gjson"
 	"github.com/xanzy/go-gitlab"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -109,11 +108,11 @@ func (g *gitlabBase) getAuth(ctx context.Context) ([]byte, error) {
 	return credentials, nil
 }
 
-func (g *gitlabBase) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (g *gitlabBase) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
-func (g *gitlabBase) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (g *gitlabBase) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/ibm/provider.go

@@ -27,7 +27,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -124,12 +123,12 @@ func (c *client) setAuth(ctx context.Context) error {
 	return nil
 }
 
-func (ibm *providerIBM) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (ibm *providerIBM) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
 // Not Implemented PushSecret.
-func (ibm *providerIBM) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (ibm *providerIBM) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/keepersecurity/client.go

@@ -24,7 +24,6 @@ import (
 	ksm "github.com/keeper-security/secrets-manager-go/core"
 	"golang.org/x/exp/maps"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
@@ -162,23 +161,24 @@ func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
-func (c *Client) PushSecret(_ context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	parts, err := c.buildSecretNameAndKey(remoteRef)
+func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	value := secret.Data[data.GetSecretKey()]
+	parts, err := c.buildSecretNameAndKey(data)
 	if err != nil {
 		return err
 	}
-	secret, err := c.findSecretByName(parts[0])
+	record, err := c.findSecretByName(parts[0])
 	if err != nil {
 		_, err = c.createSecret(parts[0], parts[1], value)
 		if err != nil {
 			return err
 		}
 	}
-	if secret != nil {
-		if secret.Type() != externalSecretType {
-			return fmt.Errorf(errInvalidSecretType, externalSecretType, secret.Title(), secret.Type())
+	if record != nil {
+		if record.Type() != externalSecretType {
+			return fmt.Errorf(errInvalidSecretType, externalSecretType, record.Title(), record.Type())
 		}
-		err = c.updateSecret(secret, parts[1], value)
+		err = c.updateSecret(record, parts[1], value)
 		if err != nil {
 			return err
 		}
@@ -187,7 +187,7 @@ func (c *Client) PushSecret(_ context.Context, value []byte, _ corev1.SecretType
 	return nil
 }
 
-func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	parts, err := c.buildSecretNameAndKey(remoteRef)
 	if err != nil {
 		return err
@@ -207,7 +207,7 @@ func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1beta1.PushRemoteR
 	return nil
 }
 
-func (c *Client) buildSecretNameAndKey(remoteRef esv1beta1.PushRemoteRef) ([]string, error) {
+func (c *Client) buildSecretNameAndKey(remoteRef esv1beta1.PushSecretRemoteRef) ([]string, error) {
 	parts := strings.Split(remoteRef.GetRemoteKey(), "/")
 	if len(parts) != 2 {
 		return nil, fmt.Errorf(errInvalidRemoteRefKey, remoteRef.GetRemoteKey())

pkg/provider/keepersecurity/client_test.go

@@ -21,10 +21,12 @@ import (
 	"testing"
 
 	ksm "github.com/keeper-security/secrets-manager-go/core"
+	corev1 "k8s.io/api/core/v1"
 
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider/keepersecurity/fake"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 const (
@@ -49,7 +51,7 @@ func TestClientDeleteSecret(t *testing.T) {
 	}
 	type args struct {
 		ctx       context.Context
-		remoteRef v1beta1.PushRemoteRef
+		remoteRef v1beta1.PushSecretRemoteRef
 	}
 	tests := []struct {
 		name    string
@@ -472,14 +474,14 @@ func TestClientGetSecretMap(t *testing.T) {
 }
 
 func TestClientPushSecret(t *testing.T) {
+	secretKey := "secret-key"
 	type fields struct {
 		ksmClient SecurityClient
 		folderID  string
 	}
 	type args struct {
-		ctx       context.Context
-		value     []byte
-		remoteRef v1beta1.PushRemoteRef
+		value []byte
+		data  testingfake.PushSecretData
 	}
 	tests := []struct {
 		name    string
@@ -494,8 +496,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID:  folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: record0,
 				},
 				value: []byte("foo"),
@@ -516,8 +518,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID: folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: invalidRecord,
 				},
 				value: []byte("foo"),
@@ -538,8 +540,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID: folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: validExistingRecord,
 				},
 				value: []byte("foo2"),
@@ -560,8 +562,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID: folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: validExistingRecord,
 				},
 				value: []byte("foo2"),
@@ -582,8 +584,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID: folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: invalidRecord,
 				},
 				value: []byte("foo"),
@@ -604,8 +606,8 @@ func TestClientPushSecret(t *testing.T) {
 				folderID: folderID,
 			},
 			args: args{
-				ctx: context.Background(),
-				remoteRef: v1alpha1.PushSecretRemoteRef{
+				data: testingfake.PushSecretData{
+					SecretKey: secretKey,
 					RemoteKey: validExistingRecord,
 				},
 				value: []byte("foo2"),
@@ -619,7 +621,8 @@ func TestClientPushSecret(t *testing.T) {
 				ksmClient: tt.fields.ksmClient,
 				folderID:  tt.fields.folderID,
 			}
-			if err := c.PushSecret(tt.args.ctx, tt.args.value, "", nil, tt.args.remoteRef); (err != nil) != tt.wantErr {
+			s := &corev1.Secret{Data: map[string][]byte{secretKey: tt.args.value}}
+			if err := c.PushSecret(context.Background(), s, tt.args.data); (err != nil) != tt.wantErr {
 				t.Errorf("PushSecret() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})

pkg/provider/kubernetes/client.go

@@ -23,7 +23,6 @@ import (
 
 	"github.com/tidwall/gjson"
 	v1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -82,7 +81,7 @@ func jsonMarshal(t interface{}) ([]byte, error) {
 	return bytes.TrimRight(buffer.Bytes(), "\n"), err
 }
 
-func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	if remoteRef.GetProperty() == "" {
 		return fmt.Errorf("requires property in RemoteRef to delete secret value")
 	}
@@ -107,30 +106,31 @@ func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemot
 	return c.fullDelete(ctx, remoteRef.GetRemoteKey())
 }
 
-func (c *Client) PushSecret(ctx context.Context, value []byte, typed v1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	if remoteRef.GetProperty() == "" {
+func (c *Client) PushSecret(ctx context.Context, secret *v1.Secret, data esv1beta1.PushSecretData) error {
+	if data.GetProperty() == "" {
 		return fmt.Errorf("requires property in RemoteRef to push secret value")
 	}
-	extSecret, getErr := c.userSecretClient.Get(ctx, remoteRef.GetRemoteKey(), metav1.GetOptions{})
+	value := secret.Data[data.GetSecretKey()]
+	extSecret, getErr := c.userSecretClient.Get(ctx, data.GetRemoteKey(), metav1.GetOptions{})
 	metrics.ObserveAPICall(constants.ProviderKubernetes, constants.CallKubernetesGetSecret, getErr)
 	if getErr != nil {
 		// create if it not exists
 		if apierrors.IsNotFound(getErr) {
-			newType := v1.SecretTypeOpaque
-			if typed != "" {
-				newType = typed
+			typ := v1.SecretTypeOpaque
+			if secret.Type != "" {
+				typ = secret.Type
 			}
-			return c.createSecret(ctx, value, newType, remoteRef)
+			return c.createSecret(ctx, value, typ, data)
 		}
 		return getErr
 	}
 	// return gracefully if data is already in sync
-	if v, ok := extSecret.Data[remoteRef.GetProperty()]; ok && bytes.Equal(v, value) {
+	if v, ok := extSecret.Data[data.GetProperty()]; ok && bytes.Equal(v, value) {
 		return nil
 	}
 
 	// otherwise update remote property
-	return c.updateProperty(ctx, extSecret, remoteRef, value)
+	return c.updateProperty(ctx, extSecret, data, value)
 }
 
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
@@ -300,7 +300,7 @@ func convertMap(in map[string][]byte) map[string]string {
 	return out
 }
 
-func (c *Client) createSecret(ctx context.Context, value []byte, typed v1.SecretType, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *Client) createSecret(ctx context.Context, value []byte, typed v1.SecretType, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	s := v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      remoteRef.GetRemoteKey(),
@@ -327,14 +327,14 @@ func (c *Client) fullDelete(ctx context.Context, secretName string) error {
 }
 
 // removeProperty removes single data property from remote secret.
-func (c *Client) removeProperty(ctx context.Context, extSecret *v1.Secret, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *Client) removeProperty(ctx context.Context, extSecret *v1.Secret, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	delete(extSecret.Data, remoteRef.GetProperty())
 	_, err := c.userSecretClient.Update(ctx, extSecret, metav1.UpdateOptions{})
 	metrics.ObserveAPICall(constants.ProviderKubernetes, constants.CallKubernetesUpdateSecret, err)
 	return err
 }
 
-func (c *Client) updateProperty(ctx context.Context, extSecret *v1.Secret, remoteRef esv1beta1.PushRemoteRef, value []byte) error {
+func (c *Client) updateProperty(ctx context.Context, extSecret *v1.Secret, remoteRef esv1beta1.PushSecretRemoteRef, value []byte) error {
 	if extSecret.Data == nil {
 		extSecret.Data = make(map[string][]byte)
 	}

pkg/provider/kubernetes/client_test.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 const (
@@ -560,7 +561,7 @@ func TestDeleteSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		fields fields
-		ref    esv1beta1.PushRemoteRef
+		ref    esv1beta1.PushSecretRemoteRef
 
 		wantSecretMap map[string]*v1.Secret
 		wantErr       bool
@@ -730,6 +731,7 @@ func TestDeleteSecret(t *testing.T) {
 }
 
 func TestPushSecret(t *testing.T) {
+	secretKey := "secret-key"
 	type fields struct {
 		Client    KClient
 		PushType  v1.SecretType
@@ -738,7 +740,7 @@ func TestPushSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		fields fields
-		ref    esv1beta1.PushRemoteRef
+		data   testingfake.PushSecretData
 
 		wantSecretMap map[string]*v1.Secret
 		wantErr       bool
@@ -758,7 +760,8 @@ func TestPushSecret(t *testing.T) {
 				},
 				PushValue: "bar",
 			},
-			ref: v1alpha1.PushSecretRemoteRef{
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: "mysec",
 			},
 			wantErr: true,
@@ -785,7 +788,8 @@ func TestPushSecret(t *testing.T) {
 				},
 				PushValue: "bar",
 			},
-			ref: v1alpha1.PushSecretRemoteRef{
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: "mysec",
 				Property:  "secret",
 			},
@@ -814,7 +818,8 @@ func TestPushSecret(t *testing.T) {
 				},
 				PushValue: "bar",
 			},
-			ref: v1alpha1.PushSecretRemoteRef{
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: "mysec",
 				Property:  "token",
 			},
@@ -842,7 +847,8 @@ func TestPushSecret(t *testing.T) {
 				},
 				PushValue: "bar",
 			},
-			ref: v1alpha1.PushSecretRemoteRef{
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: "mysec",
 				Property:  "secret",
 			},
@@ -877,7 +883,8 @@ func TestPushSecret(t *testing.T) {
 				PushType:  v1.SecretTypeDockerConfigJson,
 				PushValue: `{"auths": {"myregistry.localhost": {"username": "{{ .username }}", "password": "{{ .password }}"}}}`,
 			},
-			ref: v1alpha1.PushSecretRemoteRef{
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
 				RemoteKey: "mysec",
 				Property:  "config.json",
 			},
@@ -902,7 +909,11 @@ func TestPushSecret(t *testing.T) {
 				userSecretClient: tt.fields.Client,
 				store:            &esv1beta1.KubernetesProvider{},
 			}
-			err := p.PushSecret(context.Background(), []byte(tt.fields.PushValue), tt.fields.PushType, nil, tt.ref)
+			s := &v1.Secret{
+				Type: tt.fields.PushType,
+				Data: map[string][]byte{secretKey: []byte(tt.fields.PushValue)},
+			}
+			err := p.PushSecret(context.Background(), s, tt.data)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ProviderKubernetes.DeleteSecret() error = %v, wantErr %v", err, tt.wantErr)
 				return

pkg/provider/onepassword/onepassword.go

@@ -22,7 +22,6 @@ import (
 	"github.com/1Password/connect-sdk-go/connect"
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -153,12 +152,12 @@ func validateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
-func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
 // Not Implemented PushSecret.
-func (provider *ProviderOnePassword) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (provider *ProviderOnePassword) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/oracle/oracle.go

@@ -32,7 +32,6 @@ import (
 	"github.com/oracle/oci-go-sdk/v65/vault"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -95,8 +94,9 @@ const (
 	SecretAPIError
 )
 
-func (vms *VaultManagementService) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	secretName := remoteRef.GetRemoteKey()
+func (vms *VaultManagementService) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	value := secret.Data[data.GetSecretKey()]
+	secretName := data.GetRemoteKey()
 	encodedValue := base64.StdEncoding.EncodeToString(value)
 	sec, action, err := vms.getSecretBundleWithCode(ctx, secretName)
 	switch action {
@@ -135,7 +135,7 @@ func (vms *VaultManagementService) PushSecret(ctx context.Context, value []byte,
 	}
 }
 
-func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
 	resp, action, err := vms.getSecretBundleWithCode(ctx, secretName)
 	switch action {

pkg/provider/oracle/oracle_test.go

@@ -40,6 +40,7 @@ import (
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakeoracle "github.com/external-secrets/external-secrets/pkg/provider/oracle/fake"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 )
 
 const (
@@ -578,9 +579,10 @@ func TestOracleVaultGetAllSecrets(t *testing.T) {
 }
 
 func TestOracleVaultPushSecret(t *testing.T) {
+	testSecretKey := "test-secret-key"
 	var testCases = map[string]struct {
 		vms       *VaultManagementService
-		remoteRef esv1beta1.PushRemoteRef
+		data      testingfake.PushSecretData
 		validator func(service *VaultManagementService) bool
 		content   string
 	}{
@@ -593,7 +595,8 @@ func TestOracleVaultPushSecret(t *testing.T) {
 				},
 				VaultClient: &fakeoracle.OracleMockVaultClient{},
 			},
-			esv1alpha1.PushSecretRemoteRef{
+			testingfake.PushSecretData{
+				SecretKey: testSecretKey,
 				RemoteKey: s1id,
 			},
 			func(vms *VaultManagementService) bool {
@@ -611,7 +614,8 @@ func TestOracleVaultPushSecret(t *testing.T) {
 				},
 				VaultClient: &fakeoracle.OracleMockVaultClient{},
 			},
-			esv1alpha1.PushSecretRemoteRef{
+			testingfake.PushSecretData{
+				SecretKey: testSecretKey,
 				RemoteKey: s1id,
 			},
 			func(vms *VaultManagementService) bool {
@@ -629,7 +633,8 @@ func TestOracleVaultPushSecret(t *testing.T) {
 				},
 				VaultClient: &fakeoracle.OracleMockVaultClient{},
 			},
-			esv1alpha1.PushSecretRemoteRef{
+			testingfake.PushSecretData{
+				SecretKey: testSecretKey,
 				RemoteKey: s1id,
 			},
 			func(vms *VaultManagementService) bool {
@@ -641,7 +646,8 @@ func TestOracleVaultPushSecret(t *testing.T) {
 	}
 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
-			err := testCase.vms.PushSecret(context.Background(), []byte(testCase.content), "", nil, testCase.remoteRef)
+			s := &corev1.Secret{Data: map[string][]byte{testSecretKey: []byte(testCase.content)}}
+			err := testCase.vms.PushSecret(context.Background(), s, testCase.data)
 			assert.NoError(t, err)
 			assert.True(t, testCase.validator(testCase.vms))
 		})
@@ -651,7 +657,7 @@ func TestOracleVaultPushSecret(t *testing.T) {
 func TestOracleVaultDeleteSecret(t *testing.T) {
 	var testCases = map[string]struct {
 		vms       *VaultManagementService
-		remoteRef esv1beta1.PushRemoteRef
+		remoteRef esv1beta1.PushSecretRemoteRef
 		validator func(service *VaultManagementService) bool
 	}{
 		"do not delete if secret not found": {

pkg/provider/scaleway/client.go

@@ -27,7 +27,6 @@ import (
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/find"
@@ -102,8 +101,9 @@ func (c *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 	return value, nil
 }
 
-func (c *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	scwRef, err := decodeScwSecretRef(remoteRef.GetRemoteKey())
+func (c *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	value := secret.Data[data.GetSecretKey()]
+	scwRef, err := decodeScwSecretRef(data.GetRemoteKey())
 	if err != nil {
 		return err
 	}
@@ -211,7 +211,7 @@ func (c *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretTy
 	return nil
 }
 
-func (c *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (c *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	scwRef, err := decodeScwSecretRef(remoteRef.GetRemoteKey())
 	if err != nil {
 		return err

pkg/provider/scaleway/client_test.go

@@ -15,11 +15,14 @@ package scaleway
 
 import (
 	"context"
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
@@ -205,24 +208,26 @@ func TestGetSecret(t *testing.T) {
 	}
 }
 
-type pushRemoteRef string
-
-func (ref pushRemoteRef) GetRemoteKey() string {
-	return string(ref)
-}
-
-func (ref pushRemoteRef) GetProperty() string {
-	return ""
-}
-
 func TestPushSecret(t *testing.T) {
+	secretKey := "secret-key"
+	pushSecretData := func(remoteKey string) testingfake.PushSecretData {
+		return testingfake.PushSecretData{
+			SecretKey: secretKey,
+			RemoteKey: remoteKey,
+		}
+	}
+	secret := func(value []byte) *corev1.Secret {
+		return &corev1.Secret{
+			Data: map[string][]byte{secretKey: value},
+		}
+	}
 	t.Run("to new secret", func(t *testing.T) {
 		ctx := context.Background()
 		c := newTestClient()
 		data := []byte("some secret data 6a8ff33b-c69a-4e42-b162-b7b595ee7f5f")
 		secretName := "secret-creation-test"
 
-		pushErr := c.PushSecret(ctx, data, "", nil, pushRemoteRef("name:"+secretName))
+		pushErr := c.PushSecret(ctx, secret(data), pushSecretData(fmt.Sprintf("name:%s", secretName)))
 
 		assert.NoError(t, pushErr)
 		assert.Len(t, db.secret(secretName).versions, 1)
@@ -234,9 +239,9 @@ func TestPushSecret(t *testing.T) {
 		c := newTestClient()
 		data := []byte("some secret data a11d416b-9169-4f4a-8c27-d2959b22e189")
 		secretName := "secret-update-test"
-		assert.NoError(t, c.PushSecret(ctx, []byte("original data"), "", nil, pushRemoteRef("name:"+secretName)))
+		assert.NoError(t, c.PushSecret(ctx, secret([]byte("original data")), pushSecretData(fmt.Sprintf("name:%s", secretName))))
 
-		pushErr := c.PushSecret(ctx, data, "", nil, pushRemoteRef("name:"+secretName))
+		pushErr := c.PushSecret(ctx, secret(data), pushSecretData(fmt.Sprintf("name:%s", secretName)))
 
 		assert.NoError(t, pushErr)
 		assert.Len(t, db.secret(secretName).versions, 2)
@@ -249,7 +254,7 @@ func TestPushSecret(t *testing.T) {
 		data := []byte("some secret data a11d416b-9169-4f4a-8c27-d2959b22e189")
 		secretName := "push-me"
 
-		pushErr := c.PushSecret(ctx, data, "", nil, pushRemoteRef("name:"+secretName))
+		pushErr := c.PushSecret(ctx, secret(data), pushSecretData(fmt.Sprintf("name:%s", secretName)))
 
 		assert.NoError(t, pushErr)
 		assert.Len(t, db.secret(secretName).versions, 1)
@@ -263,7 +268,7 @@ func TestPushSecret(t *testing.T) {
 		secretPath := "/folder"
 		secretName := "secret-in-path"
 
-		pushErr := c.PushSecret(ctx, data, "", nil, pushRemoteRef("path:"+secretPath+"/"+secretName))
+		pushErr := c.PushSecret(ctx, secret(data), pushSecretData(fmt.Sprintf("path:%s/%s", secretPath, secretName)))
 		assert.NoError(t, pushErr)
 		assert.Len(t, db.secret(secretName).versions, 1)
 		assert.Equal(t, data, db.secret(secretName).versions[0].data)
@@ -274,7 +279,7 @@ func TestPushSecret(t *testing.T) {
 		ctx := context.Background()
 		c := newTestClient()
 
-		pushErr := c.PushSecret(ctx, []byte("some data"), "", nil, pushRemoteRef("invalid:abcd"))
+		pushErr := c.PushSecret(ctx, secret([]byte("some data")), pushSecretData("invalid:abcd"))
 
 		assert.Error(t, pushErr)
 	})
@@ -283,7 +288,7 @@ func TestPushSecret(t *testing.T) {
 		ctx := context.Background()
 		c := newTestClient()
 
-		pushErr := c.PushSecret(ctx, []byte("some data"), "", nil, pushRemoteRef("id:"+db.secret("cant-push").id))
+		pushErr := c.PushSecret(ctx, secret([]byte("some data")), pushSecretData(fmt.Sprintf("id:%s", db.secret("cant-push").id)))
 
 		assert.Error(t, pushErr)
 	})
@@ -291,24 +296,24 @@ func TestPushSecret(t *testing.T) {
 	t.Run("without change does not create a version", func(t *testing.T) {
 		ctx := context.Background()
 		c := newTestClient()
-		secret := db.secret("not-changed")
+		fs := db.secret("not-changed")
 
-		pushErr := c.PushSecret(ctx, secret.versions[0].data, "", nil, pushRemoteRef("name:"+secret.name))
+		pushErr := c.PushSecret(ctx, secret(fs.versions[0].data), pushSecretData(fmt.Sprintf("name:%s", fs.name)))
 
 		assert.NoError(t, pushErr)
-		assert.Equal(t, 1, len(secret.versions))
+		assert.Equal(t, 1, len(fs.versions))
 	})
 
 	t.Run("previous version is disabled", func(t *testing.T) {
 		ctx := context.Background()
 		c := newTestClient()
-		secret := db.secret("disabling-old-versions")
+		fs := db.secret("disabling-old-versions")
 
-		pushErr := c.PushSecret(ctx, []byte("some new data"), "", nil, pushRemoteRef("name:"+secret.name))
+		pushErr := c.PushSecret(ctx, secret([]byte("some new data")), pushSecretData(fmt.Sprintf("name:%s", fs.name)))
 
 		assert.NoError(t, pushErr)
-		assert.Equal(t, 2, len(secret.versions))
-		assert.Equal(t, "disabled", secret.versions[0].status)
+		assert.Equal(t, 2, len(fs.versions))
+		assert.Equal(t, "disabled", fs.versions[0].status)
 	})
 }
 
@@ -404,19 +409,19 @@ func TestDeleteSecret(t *testing.T) {
 	byPath := db.secret("nested-secret")
 
 	testCases := map[string]struct {
-		ref esv1beta1.PushRemoteRef
+		ref testingfake.PushSecretData
 		err error
 	}{
 		"Delete Successfully": {
-			ref: pushRemoteRef("name:" + secret.name),
+			ref: testingfake.PushSecretData{RemoteKey: "name:" + secret.name},
 			err: nil,
 		},
 		"Delete by path": {
-			ref: pushRemoteRef("path:" + byPath.path + "/" + byPath.name),
+			ref: testingfake.PushSecretData{RemoteKey: "path:" + byPath.path + "/" + byPath.name},
 			err: nil,
 		},
 		"Secret Not Found": {
-			ref: pushRemoteRef("name:not-a-secret"),
+			ref: testingfake.PushSecretData{RemoteKey: "name:not-a-secret"},
 			err: nil,
 		},
 	}

pkg/provider/senhasegura/dsm/dsm.go

@@ -25,7 +25,6 @@ import (
 	"net/url"
 
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	senhaseguraAuth "github.com/external-secrets/external-secrets/pkg/provider/senhasegura/auth"
@@ -93,12 +92,12 @@ func New(isoSession *senhaseguraAuth.SenhaseguraIsoSession) (*DSM, error) {
 	}, nil
 }
 
-func (dsm *DSM) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (dsm *DSM) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
 // Not Implemented PushSecret.
-func (dsm *DSM) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (dsm *DSM) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/testing/fake/fake.go

@@ -18,7 +18,6 @@ import (
 	"context"
 
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -28,7 +27,7 @@ var _ esv1beta1.Provider = &Client{}
 
 type SetSecretCallArgs struct {
 	Value     []byte
-	RemoteRef esv1beta1.PushRemoteRef
+	RemoteRef esv1beta1.PushSecretRemoteRef
 }
 
 // Client is a fake client for testing.
@@ -81,15 +80,15 @@ func (v *Client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecret
 }
 
 // Not Implemented PushSecret.
-func (v *Client) PushSecret(_ context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
-	v.SetSecretArgs[remoteRef.GetRemoteKey()] = SetSecretCallArgs{
-		Value:     value,
-		RemoteRef: remoteRef,
+func (v *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	v.SetSecretArgs[data.GetRemoteKey()] = SetSecretCallArgs{
+		Value:     secret.Data[data.GetSecretKey()],
+		RemoteRef: data,
 	}
 	return v.SetSecretFn()
 }
 
-func (v *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (v *Client) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return v.DeleteSecretFn()
 }
 

pkg/provider/testing/fake/push_secret_data.go

@@ -0,0 +1,40 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
+type PushSecretData struct {
+	Metadata  *apiextensionsv1.JSON
+	SecretKey string
+	RemoteKey string
+	Property  string
+}
+
+func (f PushSecretData) GetMetadata() *apiextensionsv1.JSON {
+	return f.Metadata
+}
+
+func (f PushSecretData) GetSecretKey() string {
+	return f.SecretKey
+}
+
+func (f PushSecretData) GetRemoteKey() string {
+	return f.RemoteKey
+}
+
+func (f PushSecretData) GetProperty() string {
+	return f.Property
+}

pkg/provider/vault/vault.go

@@ -44,7 +44,6 @@ import (
 	"github.com/tidwall/gjson"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
@@ -435,7 +434,7 @@ func (c *Connector) ValidateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
-func (v *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+func (v *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
 	path := v.buildPath(remoteRef.GetRemoteKey())
 	metaPath, err := v.buildMetadataPath(remoteRef.GetRemoteKey())
 	if err != nil {
@@ -483,15 +482,16 @@ func (v *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemot
 	return nil
 }
 
-func (v *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, remoteRef esv1beta1.PushRemoteRef) error {
+func (v *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
+	value := secret.Data[data.GetSecretKey()]
 	label := map[string]interface{}{
 		"custom_metadata": map[string]string{
 			"managed-by": "external-secrets",
 		},
 	}
 	secretVal := make(map[string]interface{})
-	path := v.buildPath(remoteRef.GetRemoteKey())
-	metaPath, err := v.buildMetadataPath(remoteRef.GetRemoteKey())
+	path := v.buildPath(data.GetRemoteKey())
+	metaPath, err := v.buildMetadataPath(data.GetRemoteKey())
 	if err != nil {
 		return err
 	}
@@ -504,7 +504,7 @@ func (v *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretTy
 	}
 	// If the secret exists (err == nil), we should check if it is managed by external-secrets
 	if err == nil {
-		metadata, err := v.readSecretMetadata(ctx, remoteRef.GetRemoteKey())
+		metadata, err := v.readSecretMetadata(ctx, data.GetRemoteKey())
 		if err != nil {
 			return err
 		}
@@ -528,9 +528,9 @@ func (v *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretTy
 		return nil
 	}
 	// If a Push of a property only, we should merge and add/update the property
-	if remoteRef.GetProperty() != "" {
-		if _, ok := vaultSecret[remoteRef.GetProperty()]; ok {
-			d := vaultSecret[remoteRef.GetProperty()].(string)
+	if data.GetProperty() != "" {
+		if _, ok := vaultSecret[data.GetProperty()]; ok {
+			d := vaultSecret[data.GetProperty()].(string)
 			if err != nil {
 				return fmt.Errorf("error marshaling vault secret: %w", err)
 			}
@@ -543,7 +543,7 @@ func (v *client) PushSecret(ctx context.Context, value []byte, _ corev1.SecretTy
 			secretVal[k] = v
 		}
 		// Secret got from vault is already on map[string]string format
-		secretVal[remoteRef.GetProperty()] = string(value)
+		secretVal[data.GetProperty()] = string(value)
 	} else {
 		err = json.Unmarshal(value, &secretVal)
 		if err != nil {

pkg/provider/vault/vault_test.go

@@ -34,6 +34,7 @@ import (
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 	utilfake "github.com/external-secrets/external-secrets/pkg/provider/util/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
@@ -1668,19 +1669,6 @@ func TestValidateStore(t *testing.T) {
 	}
 }
 
-type fakeRef struct {
-	key      string
-	property string
-}
-
-func (f fakeRef) GetRemoteKey() string {
-	return f.key
-}
-
-func (f fakeRef) GetProperty() string {
-	return f.property
-}
-
 func TestDeleteSecret(t *testing.T) {
 	type args struct {
 		store    *esv1beta1.VaultProvider
@@ -1693,7 +1681,7 @@ func TestDeleteSecret(t *testing.T) {
 	tests := map[string]struct {
 		reason string
 		args   args
-		ref    *fakeRef
+		ref    *testingfake.PushSecretData
 		want   want
 		value  []byte
 	}{
@@ -1790,7 +1778,7 @@ func TestDeleteSecret(t *testing.T) {
 		},
 		"DeleteSecretUpdateProperty": {
 			reason: "Secret should only be updated if Property is set",
-			ref:    &fakeRef{key: "secret", property: "fake-key"},
+			ref:    &testingfake.PushSecretData{RemoteKey: "secret", Property: "fake-key"},
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
@@ -1813,7 +1801,7 @@ func TestDeleteSecret(t *testing.T) {
 		},
 		"DeleteSecretIfNoOtherProperties": {
 			reason: "Secret should only be deleted if no other properties are set",
-			ref:    &fakeRef{key: "secret", property: "foo"},
+			ref:    &testingfake.PushSecretData{RemoteKey: "secret", Property: "foo"},
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
@@ -1836,7 +1824,7 @@ func TestDeleteSecret(t *testing.T) {
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "secret", property: ""}
+			ref := testingfake.PushSecretData{RemoteKey: "secret", Property: ""}
 			if tc.ref != nil {
 				ref = *tc.ref
 			}
@@ -1860,7 +1848,8 @@ func TestDeleteSecret(t *testing.T) {
 		})
 	}
 }
-func TestSetSecret(t *testing.T) {
+func TestPushSecret(t *testing.T) {
+	secretKey := "secret-key"
 	noPermission := errors.New("no permission")
 
 	type args struct {
@@ -1875,7 +1864,7 @@ func TestSetSecret(t *testing.T) {
 		reason string
 		args   args
 		want   want
-		ref    *fakeRef
+		data   *testingfake.PushSecretData
 		value  []byte
 	}{
 		"SetSecret": {
@@ -1928,7 +1917,7 @@ func TestSetSecret(t *testing.T) {
 		"PushSecretProperty": {
 			reason: "push secret with property adds the property",
 			value:  []byte("fake-value"),
-			ref:    &fakeRef{key: "secret", property: "foo"},
+			data:   &testingfake.PushSecretData{SecretKey: secretKey, RemoteKey: "secret", Property: "foo"},
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
@@ -1950,7 +1939,7 @@ func TestSetSecret(t *testing.T) {
 		"PushSecretUpdateProperty": {
 			reason: "push secret with property only updates the property",
 			value:  []byte("new-value"),
-			ref:    &fakeRef{key: "secret", property: "foo"},
+			data:   &testingfake.PushSecretData{SecretKey: secretKey, RemoteKey: "secret", Property: "foo"},
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
@@ -1972,7 +1961,7 @@ func TestSetSecret(t *testing.T) {
 		"PushSecretPropertyNoUpdate": {
 			reason: "push secret with property only updates the property",
 			value:  []byte("fake-value"),
-			ref:    &fakeRef{key: "secret", property: "foo"},
+			data:   &testingfake.PushSecretData{SecretKey: secretKey, RemoteKey: "secret", Property: "foo"},
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
@@ -2028,9 +2017,9 @@ func TestSetSecret(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			ref := fakeRef{key: "secret", property: ""}
-			if tc.ref != nil {
-				ref = *tc.ref
+			data := testingfake.PushSecretData{SecretKey: secretKey, RemoteKey: "secret", Property: ""}
+			if tc.data != nil {
+				data = *tc.data
 			}
 			client := &client{
 				logical: tc.args.vLogical,
@@ -2040,7 +2029,8 @@ func TestSetSecret(t *testing.T) {
 			if val == nil {
 				val = []byte(`{"fake-key":"fake-value"}`)
 			}
-			err := client.PushSecret(context.Background(), val, "", nil, ref)
+			s := &corev1.Secret{Data: map[string][]byte{secretKey: val}}
+			err := client.PushSecret(context.Background(), s, data)
 
 			// Error nil XOR tc.want.err nil
 			if ((err == nil) || (tc.want.err == nil)) && !((err == nil) && (tc.want.err == nil)) {

pkg/provider/webhook/webhook.go

@@ -30,7 +30,6 @@ import (
 	"github.com/PaesslerAG/jsonpath"
 	"gopkg.in/yaml.v3"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -118,12 +117,12 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 	return secret, nil
 }
 
-func (w *WebHook) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (w *WebHook) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
 // Not Implemented PushSecret.
-func (w *WebHook) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (w *WebHook) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }
 

pkg/provider/yandex/common/secretsclient.go

@@ -18,7 +18,6 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
@@ -37,11 +36,11 @@ func (c *yandexCloudSecretsClient) GetSecret(ctx context.Context, ref esv1beta1.
 	return c.secretGetter.GetSecret(ctx, c.iamToken, ref.Key, ref.Version, ref.Property)
 }
 
-func (c *yandexCloudSecretsClient) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+func (c *yandexCloudSecretsClient) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }
 
-func (c *yandexCloudSecretsClient) PushSecret(_ context.Context, _ []byte, _ corev1.SecretType, _ *apiextensionsv1.JSON, _ esv1beta1.PushRemoteRef) error {
+func (c *yandexCloudSecretsClient) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
 	return fmt.Errorf("not implemented")
 }