chore(linter): fix revive linter issues in `pkg` (#5412)

* chore(linter): fix revive linter errors

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix revive linter errors

* rename the pkg/utils to pkg/esutils

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix import issues

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix package comment

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

---------

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

pkg/cache/cache.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package cache provides a generic LRU cache with versioning support.
 package cache
 
 import (
@@ -26,7 +27,7 @@ import (
 // lookup values using a key and a version.
 // By design, this cache allows access to only a single version of a given key.
 // A version mismatch is considered a cache miss and the key gets evicted if it exists.
-// When a key is evicted a optional cleanup function is called.
+// When a key is evicted an optional cleanup function is called.
 type Cache[T any] struct {
 	lru         *lru.Cache
 	size        int

pkg/cache/cache_test.go

@@ -68,7 +68,7 @@ func TestCacheGet(t *testing.T) {
 
 func TestCacheGetInvalidVersion(t *testing.T) {
 	var cleanupCalled bool
-	c, err := New(1, func(client *client) {
+	c, err := New(1, func(*client) {
 		cleanupCalled = true
 	})
 	if err != nil {
@@ -85,7 +85,7 @@ func TestCacheGetInvalidVersion(t *testing.T) {
 
 func TestCacheEvict(t *testing.T) {
 	var cleanupCalled bool
-	c, err := New(1, func(client client) {
+	c, err := New(1, func(client) {
 		cleanupCalled = true
 	})
 	if err != nil {

pkg/common/webhook/models.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package webhook provides functionality for interacting with external webhook services
+// to fetch and push secret data.
 package webhook
 
 import (
@@ -23,6 +25,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// Spec defines the configuration for a webhook provider.
 type Spec struct {
 	// Webhook Method
 	// +optional, default GET
@@ -84,12 +87,14 @@ type NTLMProtocol struct {
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 }
 
+// Result defines how to process and extract data from webhook responses.
 type Result struct {
 	// Json path of return value
 	// +optional
 	JSONPath string `json:"jsonPath,omitempty"`
 }
 
+// Secret defines a secret that can be used in webhook templates.
 type Secret struct {
 	// Name of this secret in templates
 	Name string `json:"name"`

pkg/common/webhook/webhook.go

@@ -37,11 +37,13 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
+// Webhook implements functionality to interact with webhook endpoints
+// to retrieve and push secrets.
 type Webhook struct {
 	Kube          client.Client
 	Namespace     string
@@ -77,6 +79,9 @@ func (w *Webhook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 	}
 	return secret, nil
 }
+
+// GetSecretMap retrieves a secret from a webhook endpoint and processes
+// the response as a map of key-value pairs.
 func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	result, err := w.GetWebhookData(ctx, provider, ref)
 	if err != nil {
@@ -111,7 +116,7 @@ func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.Ex
 	// Change the map of generic objects to a map of byte arrays
 	values := make(map[string][]byte)
 	for rKey := range jsonvalue {
-		values[rKey], err = utils.GetByteValueFromMap(jsonvalue, rKey)
+		values[rKey], err = esutils.GetByteValueFromMap(jsonvalue, rKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get response for key '%s': %w", rKey, err)
 		}
@@ -119,6 +124,7 @@ func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.Ex
 	return values, nil
 }
 
+// GetTemplateData prepares the template data for webhook requests based on the given remote reference.
 func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1.ExternalSecretDataRemoteRef, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{}
 	if ref != nil {
@@ -145,6 +151,7 @@ func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1.ExternalSecretD
 	return data, nil
 }
 
+// GetTemplatePushData prepares the template data for webhook push requests.
 func (w *Webhook) GetTemplatePushData(ctx context.Context, ref esv1.PushSecretData, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{}
 	if ref != nil {
@@ -189,6 +196,7 @@ func (w *Webhook) getTemplatedSecrets(ctx context.Context, secrets []Secret, dat
 	return nil
 }
 
+// GetWebhookData makes a request to the webhook endpoint and returns the raw response data.
 func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if w.HTTP == nil {
 		return nil, errors.New("http client not initialized")
@@ -225,6 +233,7 @@ func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1.
 	return w.executeRequest(ctx, provider, body.Bytes(), url, method, rawData)
 }
 
+// PushWebhookData pushes data to a webhook endpoint.
 func (w *Webhook) PushWebhookData(ctx context.Context, provider *Spec, data []byte, remoteKey esv1.PushSecretData) error {
 	if w.HTTP == nil {
 		return errors.New("http client not initialized")
@@ -282,7 +291,7 @@ func (w *Webhook) executeRequest(ctx context.Context, provider *Spec, data []byt
 	}
 
 	if provider.Auth != nil {
-		req, err = w.ReqAddAuth(req, provider, ctx)
+		req, err = w.ReqAddAuth(ctx, req, provider)
 		if err != nil {
 			return nil, err
 		}
@@ -312,6 +321,7 @@ func (w *Webhook) executeRequest(ctx context.Context, provider *Spec, data []byt
 	return io.ReadAll(resp.Body)
 }
 
+// ReqAddHeaders adds headers to an HTTP request based on provider configuration.
 func (w *Webhook) ReqAddHeaders(r *http.Request, provider *Spec, rawData map[string]map[string]string) (*http.Request, error) {
 	reqWithHeaders := r
 
@@ -326,7 +336,8 @@ func (w *Webhook) ReqAddHeaders(r *http.Request, provider *Spec, rawData map[str
 	return reqWithHeaders, nil
 }
 
-func (w *Webhook) ReqAddAuth(r *http.Request, provider *Spec, ctx context.Context) (*http.Request, error) {
+// ReqAddAuth adds authentication to an HTTP request based on provider configuration.
+func (w *Webhook) ReqAddAuth(ctx context.Context, r *http.Request, provider *Spec) (*http.Request, error) {
 	reqWithAuth := r
 
 	//nolint:gocritic // singleCaseSwitch: we prefer to keep it as a switch for clarity
@@ -352,12 +363,13 @@ func (w *Webhook) ReqAddAuth(r *http.Request, provider *Spec, ctx context.Contex
 	return reqWithAuth, nil
 }
 
+// GetHTTPClient returns an HTTP client configured according to the provider specification.
 func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Client, error) {
-	client := &http.Client{}
+	c := &http.Client{}
 
 	// add timeout to client if it is there
 	if provider.Timeout != nil {
-		client.Timeout = provider.Timeout.Duration
+		c.Timeout = provider.Timeout.Duration
 	}
 
 	// add CA to client if it is there
@@ -373,12 +385,12 @@ func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Clie
 			Renegotiation: tls.RenegotiateOnceAsClient,
 		}
 
-		client.Transport = &http.Transport{TLSClientConfig: tlsConf}
+		c.Transport = &http.Transport{TLSClientConfig: tlsConf}
 	}
 	// add authentication method if it s there
 	if provider.Auth != nil {
 		if provider.Auth.NTLM != nil {
-			client.Transport =
+			c.Transport =
 				&ntlmssp.Negotiator{
 					RoundTripper: &http.Transport{
 						TLSNextProto: map[string]func(authority string, c *tls.Conn) http.RoundTripper{}, // Needed to disable HTTP/2
@@ -390,12 +402,13 @@ func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Clie
 	}
 
 	// return client with all add-ons
-	return client, nil
+	return c, nil
 }
 
+// GetCACertPool returns a certificate pool for TLS connections based on provider configuration.
 func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.CertPool, error) {
 	caCertPool := x509.NewCertPool()
-	ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	ca, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   provider.CABundle,
 		CAProvider: provider.CAProvider,
 		StoreKind:  w.StoreKind,
@@ -413,6 +426,7 @@ func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.Cert
 	return caCertPool, nil
 }
 
+// ExecuteTemplateString executes a template and returns the result as a string.
 func ExecuteTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
 	result, err := ExecuteTemplate(tmpl, data)
 	if err != nil {
@@ -421,6 +435,7 @@ func ExecuteTemplateString(tmpl string, data map[string]map[string]string) (stri
 	return result.String(), nil
 }
 
+// ExecuteTemplate executes a template and returns the result as a bytes.Buffer.
 func ExecuteTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
 	var result bytes.Buffer
 	if tmpl == "" {

pkg/constants/constants.go

@@ -14,8 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package constants holds constant values for the project.
 package constants
 
+// These constants are used for identifying providers and calls to them.
 const (
 	ProviderAWSSM                = "AWS/SecretsManager"
 	CallAWSSMGetSecretValue      = "GetSecretValue"

pkg/controllers/clusterexternalsecret/cesmetrics/cesmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package cesmetrics provides functionality for tracking and exposing metrics related to ClusterExternalSecret resources.
 package cesmetrics
 
 import (
@@ -25,7 +26,9 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 
+// Constants for metrics subsystem and keys.
 const (
+	// ClusterExternalSecretSubsystem is the subsystem name used for ClusterExternalSecret metrics.
 	ClusterExternalSecretSubsystem            = "clusterexternalsecret"
 	ClusterExternalSecretReconcileDurationKey = "reconcile_duration"
 	ClusterExternalSecretStatusConditionKey   = "status_condition"
@@ -56,10 +59,12 @@ func SetUpMetrics() {
 	}
 }
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }
 
+// UpdateClusterExternalSecretCondition updates the metrics for a ClusterExternalSecret based on its condition.
 func UpdateClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition *esv1.ClusterExternalSecretStatusCondition) {
 	if condition.Status != v1.ConditionTrue {
 		// This should not happen

pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package clusterexternalsecret implements a controller for managing ClusterExternalSecret resources,
+// which allow creating ExternalSecrets across multiple namespaces.
 package clusterexternalsecret
 
 import (
@@ -43,7 +45,7 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 // Reconciler reconciles a ClusterExternalSecret object.
@@ -67,6 +69,11 @@ const (
 	ClusterExternalSecretFinalizer = "externalsecrets.external-secrets.io/clusterexternalsecret-cleanup"
 )
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("ClusterExternalSecret", req.NamespacedName)
 
@@ -148,7 +155,7 @@ func (r *Reconciler) reconcile(ctx context.Context, log logr.Logger, clusterExte
 	}
 	selectors = append(selectors, clusterExternalSecret.Spec.NamespaceSelectors...)
 
-	namespaces, err := utils.GetTargetNamespaces(ctx, r.Client, clusterExternalSecret.Spec.Namespaces, selectors)
+	namespaces, err := esutils.GetTargetNamespaces(ctx, r.Client, clusterExternalSecret.Spec.Namespaces, selectors)
 	if err != nil {
 		log.Error(err, "failed to get target Namespaces")
 		failedNamespaces := map[string]error{
@@ -524,7 +531,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Watches(
 			&v1.Namespace{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
-			builder.WithPredicates(utils.NamespacePredicate()),
+			builder.WithPredicates(esutils.NamespacePredicate()),
 		).
 		Complete(r)
 }

pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller_test.go

@@ -524,7 +524,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
@@ -602,7 +602,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
@@ -663,14 +663,14 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
 					MatchLabels: map[string]string{metadataLabelName: "no-namespace-matches"},
 				}
 				return *ces
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
@@ -687,7 +687,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				}
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, _ esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{}
 			},
 		}),
@@ -718,7 +718,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
@@ -730,7 +730,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 				}
 				return *ces
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
@@ -751,7 +751,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				}
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{
 					{
 						ObjectMeta: metav1.ObjectMeta{
@@ -778,14 +778,14 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				// does-not-exists tests that we would continue on to the next and not stop if the
 				// namespace hasn't been created yet.
 				ces.Spec.Namespaces = []string{"does-not-exist", "not-matching-namespace"}
 				return *ces
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
@@ -805,7 +805,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 				}
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{
 					{
 						ObjectMeta: metav1.ObjectMeta{

pkg/controllers/clusterexternalsecret/util.go

@@ -23,6 +23,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 )
 
+// NewClusterExternalSecretCondition creates a new ClusterExternalSecret condition based on failed namespaces.
+// If there are no failed namespaces, it returns a Ready condition with True status.
+// Otherwise, it returns a Ready condition with False status and an error message.
 func NewClusterExternalSecretCondition(failedNamespaces map[string]error) *esv1.ClusterExternalSecretStatusCondition {
 	if len(failedNamespaces) == 0 {
 		return &esv1.ClusterExternalSecretStatusCondition{
@@ -40,6 +43,8 @@ func NewClusterExternalSecretCondition(failedNamespaces map[string]error) *esv1.
 	return condition
 }
 
+// SetClusterExternalSecretCondition updates the conditions on the ClusterExternalSecret status
+// and updates the corresponding metrics.
 func SetClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition esv1.ClusterExternalSecretStatusCondition) {
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	cesmetrics.UpdateClusterExternalSecretCondition(ces, &condition)

pkg/controllers/clusterpushsecret/clusterpushsecret_controller.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package clusterpushsecret implements a controller for managing ClusterPushSecret resources,
+// which allow pushing secrets to external systems across multiple namespaces.
 package clusterpushsecret
 
 import (
@@ -42,7 +44,7 @@ import (
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 // Reconciler reconciles a ClusterPushSecret object.
@@ -62,6 +64,9 @@ const (
 	errNamespacesFailed     = "one or more namespaces failed"
 )
 
+// Reconcile handles the reconciliation loop for ClusterPushSecret resources.
+// It ensures that PushSecrets are created in selected namespaces according to the
+// ClusterPushSecret specification and maintains their status.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("ClusterPushSecret", req.NamespacedName)
 
@@ -102,7 +107,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	cps.Status.PushSecretName = esName
 
-	namespaces, err := utils.GetTargetNamespaces(ctx, r.Client, nil, cps.Spec.NamespaceSelectors)
+	namespaces, err := esutils.GetTargetNamespaces(ctx, r.Client, nil, cps.Spec.NamespaceSelectors)
 	if err != nil {
 		log.Error(err, "failed to get target Namespaces")
 		r.markAsFailed("failed to get target Namespaces", &cps)
@@ -322,7 +327,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Watches(
 			&v1.Namespace{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
-			builder.WithPredicates(utils.NamespacePredicate()),
+			builder.WithPredicates(esutils.NamespacePredicate()),
 		).
 		Complete(r)
 }

pkg/controllers/clusterpushsecret/clusterpushsecret_controller_test.go

@@ -630,7 +630,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				},
 			},
 			sourceSecret: defaultSourceSecret,
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
@@ -704,7 +704,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				},
 			},
 			sourceSecret: defaultSourceSecret,
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
@@ -767,7 +767,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 				},
 			},
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
@@ -777,7 +777,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				return *pes
 			},
 			sourceSecret: defaultSourceSecret,
-			expectedClusterPushSecret: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
+			expectedClusterPushSecret: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
 				return v1alpha1.ClusterPushSecret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
@@ -794,7 +794,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 				}
 			},
-			expectedPushSecrets: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
+			expectedPushSecrets: func([]v1.Namespace, v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
 				return []v1alpha1.PushSecret{}
 			},
 		}),
@@ -825,7 +825,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 				},
 			},
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
@@ -838,7 +838,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				return *pes
 			},
 			sourceSecret: defaultSourceSecret,
-			expectedClusterPushSecret: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
+			expectedClusterPushSecret: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
 				return v1alpha1.ClusterPushSecret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
@@ -859,7 +859,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 				}
 			},
-			expectedPushSecrets: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
+			expectedPushSecrets: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
 				return []v1alpha1.PushSecret{
 					{
 						ObjectMeta: metav1.ObjectMeta{

pkg/controllers/clusterpushsecret/cpsmetrics/cpsmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package cpsmetrics provides functionality for tracking and exposing metrics related to ClusterPushSecret resources.
 package cpsmetrics
 
 import (
@@ -25,6 +26,7 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 
+// Constants for metrics subsystem and keys.
 const (
 	ClusterPushSecretSubsystem            = "clusterpushsecret"
 	ClusterPushSecretReconcileDurationKey = "reconcile_duration"
@@ -56,10 +58,12 @@ func SetUpMetrics() {
 	}
 }
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }
 
+// UpdateClusterPushSecretCondition updates the metrics for a ClusterPushSecret based on its condition.
 func UpdateClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition *v1alpha1.PushSecretStatusCondition) {
 	if condition.Status != v1.ConditionTrue {
 		// This should not happen

pkg/controllers/clusterpushsecret/util.go

@@ -23,6 +23,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 )
 
+// NewClusterPushSecretCondition creates a new PushSecretStatusCondition based on failed namespaces.
+// If there are no failed namespaces, it returns a Ready condition with True status.
+// Otherwise, it returns a Ready condition with False status and an error message.
 func NewClusterPushSecretCondition(failedNamespaces map[string]error) *v1alpha1.PushSecretStatusCondition {
 	if len(failedNamespaces) == 0 {
 		return &v1alpha1.PushSecretStatusCondition{
@@ -40,6 +43,8 @@ func NewClusterPushSecretCondition(failedNamespaces map[string]error) *v1alpha1.
 	return condition
 }
 
+// SetClusterPushSecretCondition updates the conditions on the ClusterPushSecret status
+// and updates the corresponding metrics.
 func SetClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition v1alpha1.PushSecretStatusCondition) {
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	cpsmetrics.UpdateClusterPushSecretCondition(ces, &condition)

pkg/controllers/common/common.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package common
+// Package ctrlcommon provides shared utility functions for controllers
+package ctrlcommon
 
 import (
 	"context"

pkg/controllers/commontest/common.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package commontest provides testing utilities for controllers.
 package commontest
 
 import (
@@ -32,6 +33,7 @@ func CreateNamespace(baseName string, c client.Client) (string, error) {
 	return CreateNamespaceWithLabels(baseName, c, map[string]string{})
 }
 
+// CreateNamespaceWithLabels creates a namespace with the given labels and returns its name.
 func CreateNamespaceWithLabels(baseName string, c client.Client, labels map[string]string) (string, error) {
 	genName := fmt.Sprintf("ctrl-test-%v", baseName)
 	ns := &v1.Namespace{
@@ -54,6 +56,7 @@ func CreateNamespaceWithLabels(baseName string, c client.Client, labels map[stri
 	return ns.Name, nil
 }
 
+// HasOwnerRef checks if the given ObjectMeta has an owner reference with the specified kind and name.
 func HasOwnerRef(meta metav1.ObjectMeta, kind, name string) bool {
 	for _, ref := range meta.OwnerReferences {
 		if ref.Kind == kind && ref.Name == name {

pkg/controllers/crds/common_test.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package crds contains controllers for handling Custom Resource Definitions.
 package crds
 
 import (

pkg/controllers/crds/crds_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package crds implements controllers for handling Custom Resource Definitions.
 package crds
 
 import (
@@ -35,7 +36,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -54,11 +55,13 @@ const (
 	caCertName           = "ca.crt"
 	caKeyName            = "ca.key"
 	certValidityDuration = 10 * 365 * 24 * time.Hour
-	LookaheadInterval    = 90 * 24 * time.Hour
+	// LookaheadInterval defines the interval to look ahead for certificate expiration.
+	LookaheadInterval = 90 * 24 * time.Hour
 
 	errResNotReady = "resource not ready: %s"
 )
 
+// Reconciler implements a reconciliation handler for CRD controllers.
 type Reconciler struct {
 	client.Client
 	Log             logr.Logger
@@ -83,6 +86,7 @@ type Reconciler struct {
 	readyStatusMap   map[string]bool
 }
 
+// Opts defines configuration options for the CRD controller.
 type Opts struct {
 	SvcName         string
 	SvcNamespace    string
@@ -91,6 +95,7 @@ type Opts struct {
 	Resources       []string
 }
 
+// New returns a new CRD controller instance.
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, logger logr.Logger,
 	interval time.Duration, opts Opts) *Reconciler {
 	return &Reconciler{
@@ -111,6 +116,7 @@ func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan stru
 	}
 }
 
+// CertInfo holds certificate data information.
 type CertInfo struct {
 	CertDir  string
 	CertName string
@@ -118,6 +124,7 @@ type CertInfo struct {
 	CAName   string
 }
 
+// Reconcile handles the reconciliation logic for CRDs.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("CustomResourceDefinition", req.NamespacedName)
 	if slices.Contains(r.CrdResources, req.NamespacedName.Name) {
@@ -152,7 +159,7 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 	if err := r.checkCRDs(); err != nil {
 		return err
 	}
-	return utils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
+	return esutils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
 }
 
 func (r *Reconciler) checkCRDs() error {
@@ -167,6 +174,7 @@ func (r *Reconciler) checkCRDs() error {
 	return nil
 }
 
+// SetupWithManager sets up the controller with the Manager.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("custom-resource-definition")
 	return ctrl.NewControllerManagedBy(mgr).
@@ -254,6 +262,7 @@ func injectCert(crd *apiext.CustomResourceDefinition, certPem []byte) error {
 	return nil
 }
 
+// KeyPairArtifacts stores certificate key pair data.
 type KeyPairArtifacts struct {
 	Cert    *x509.Certificate
 	Key     *rsa.PrivateKey
@@ -261,6 +270,7 @@ type KeyPairArtifacts struct {
 	KeyPEM  []byte
 }
 
+// populateSecret populates the secret with the given certificate and key data.
 func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *corev1.Secret) {
 	if secret.Data == nil {
 		secret.Data = make(map[string][]byte)
@@ -271,6 +281,7 @@ func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *cor
 	secret.Data[keyName] = key
 }
 
+// ValidCert checks if the provided certificate is valid for the given DNS name.
 func ValidCert(caCert, cert, key []byte, dnsName string, at time.Time) (bool, error) {
 	if len(caCert) == 0 || len(cert) == 0 || len(key) == 0 {
 		return false, errors.New("empty cert")
@@ -414,6 +425,7 @@ func buildArtifactsFromSecret(secret *corev1.Secret) (*KeyPairArtifacts, error)
 	}, nil
 }
 
+// CreateCACert creates a new CA certificate.
 func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, error) {
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(0),
@@ -450,6 +462,7 @@ func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, erro
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 }
 
+// CreateCAChain creates a certificate chain using the provided CA.
 func (r *Reconciler) CreateCAChain(ca *KeyPairArtifacts, begin, end time.Time) (*KeyPairArtifacts, error) {
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(2),
@@ -486,6 +499,7 @@ func (r *Reconciler) CreateCAChain(ca *KeyPairArtifacts, begin, end time.Time) (
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 }
 
+// CreateCertPEM creates a new certificate in PEM format.
 func (r *Reconciler) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) {
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(1),

pkg/controllers/externalsecret/esmetrics/esmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package esmetrics provides metrics functionality for the ExternalSecret controller
 package esmetrics
 
 import (
@@ -26,10 +27,15 @@ import (
 )
 
 const (
-	ExternalSecretSubsystem            = "externalsecret"
-	SyncCallsKey                       = "sync_calls_total"
-	SyncCallsErrorKey                  = "sync_calls_error"
-	ExternalSecretStatusConditionKey   = "status_condition"
+	// ExternalSecretSubsystem is the subsystem for the external-secret controller.
+	ExternalSecretSubsystem = "externalsecret"
+	// SyncCallsKey is the metric key for sync calls.
+	SyncCallsKey = "sync_calls_total"
+	// SyncCallsErrorKey is the metric key for sync call errors.
+	SyncCallsErrorKey = "sync_calls_error"
+	// ExternalSecretStatusConditionKey is the metric key for the external secret status condition.
+	ExternalSecretStatusConditionKey = "status_condition"
+	// ExternalSecretReconcileDurationKey is the metric key for the external secret reconcile duration.
 	ExternalSecretReconcileDurationKey = "reconcile_duration"
 )
 
@@ -37,7 +43,7 @@ var counterVecMetrics = map[string]*prometheus.CounterVec{}
 
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
 
-// Called at the root to set-up the metric logic using the
+// SetUpMetrics is called at the root to set-up the metric logic using the
 // config flags provided.
 func SetUpMetrics() {
 	// Obtain the prometheus metrics and register
@@ -78,6 +84,7 @@ func SetUpMetrics() {
 	}
 }
 
+// UpdateExternalSecretCondition is a function that updates the condition of an external secret.
 func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.ExternalSecretStatusCondition, value float64) {
 	esInfo := make(map[string]string)
 	esInfo["name"] = es.Name
@@ -148,10 +155,12 @@ func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.Exte
 		})).Set(value)
 }
 
+// GetCounterVec returns the counter vec for the given key.
 func GetCounterVec(key string) *prometheus.CounterVec {
 	return counterVecMetrics[key]
 }
 
+// GetGaugeVec returns the gauge vec for the given key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package externalsecret implements the controller for managing ExternalSecret resources
 package externalsecret
 
 import (
@@ -54,8 +55,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
@@ -472,7 +473,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		// we also use a label to keep track of the owner of the secret
 		// this lets us remove secrets that are no longer needed if the target secret name changes
 		if externalSecret.Spec.Target.CreationPolicy == esv1.CreatePolicyOwner {
-			lblValue := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
+			lblValue := esutils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
 			secret.Labels[esv1.LabelOwner] = lblValue
 		} else {
 			// the label should not be set if the creation policy is not Owner
@@ -480,7 +481,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		}
 
 		secret.Labels[esv1.LabelManaged] = esv1.LabelManagedValue
-		secret.Annotations[esv1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+		secret.Annotations[esv1.AnnotationDataHash] = esutils.ObjectHash(secret.Data)
 
 		return nil
 	}
@@ -605,7 +606,7 @@ func (r *Reconciler) markAsDone(externalSecret *esv1.ExternalSecret, start time.
 	SetExternalSecretCondition(externalSecret, *newReadyCondition)
 
 	externalSecret.Status.RefreshTime = metav1.NewTime(start)
-	externalSecret.Status.SyncedResourceVersion = util.GetResourceVersion(externalSecret.ObjectMeta)
+	externalSecret.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(externalSecret.ObjectMeta)
 
 	// if the status or reason has changed, log at the appropriate verbosity level
 	if oldReadyCondition == nil || oldReadyCondition.Status != newReadyCondition.Status || oldReadyCondition.Reason != newReadyCondition.Reason {
@@ -659,7 +660,7 @@ func (r *Reconciler) cleanupManagedSecrets(ctx context.Context, log logr.Logger,
 }
 
 func (r *Reconciler) deleteOrphanedSecrets(ctx context.Context, externalSecret *esv1.ExternalSecret, secretName string) error {
-	ownerLabel := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
+	ownerLabel := esutils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
 
 	// we use a PartialObjectMetadataList to avoid loading the full secret objects
 	// and because the Secrets partials are always cached due to WatchesMetadata() in SetupWithManager()
@@ -930,7 +931,7 @@ func shouldRefresh(es *esv1.ExternalSecret) bool {
 			return true
 		}
 
-		return es.Status.SyncedResourceVersion != util.GetResourceVersion(es.ObjectMeta)
+		return es.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(es.ObjectMeta)
 
 	case esv1.RefreshPolicyPeriodic:
 		return shouldRefreshPeriodic(es)
@@ -947,7 +948,7 @@ func shouldRefreshPeriodic(es *esv1.ExternalSecret) bool {
 	}
 
 	// if the ExternalSecret has been updated, we should refresh
-	if es.Status.SyncedResourceVersion != util.GetResourceVersion(es.ObjectMeta) {
+	if es.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(es.ObjectMeta) {
 		return true
 	}
 
@@ -983,7 +984,7 @@ func isSecretValid(existingSecret *v1.Secret, es *esv1.ExternalSecret) bool {
 
 	// if the data-hash annotation is missing or incorrect, then it's invalid
 	// this is how we know if the data has chanced since we last updated the secret
-	if existingSecret.Annotations[esv1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
+	if existingSecret.Annotations[esv1.AnnotationDataHash] != esutils.ObjectHash(existingSecret.Data) {
 		return false
 	}
 

pkg/controllers/externalsecret/externalsecret_controller_secret.go

@@ -29,16 +29,16 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 )
 
-// getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
+// GetProviderSecretData returns the provider's secret data with the provided ExternalSecret.
 func (r *Reconciler) GetProviderSecretData(ctx context.Context, externalSecret *esv1.ExternalSecret) (providerData map[string][]byte, err error) {
 	// We MUST NOT create multiple instances of a provider client (mostly due to limitations with GCP)
 	// Clientmanager keeps track of the client instances
@@ -103,7 +103,7 @@ func (r *Reconciler) GetProviderSecretData(ctx context.Context, externalSecret *
 			return nil, err
 		}
 
-		providerData = utils.MergeByteMap(providerData, secretMap)
+		providerData = esutils.MergeByteMap(providerData, secretMap)
 	}
 
 	for i, secretRef := range externalSecret.Spec.Data {
@@ -133,7 +133,7 @@ func (r *Reconciler) handleSecretData(ctx context.Context, externalSecret *esv1.
 	}
 
 	// decode the secret if needed
-	secretData, err = utils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData)
+	secretData, err = esutils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData)
 	if err != nil {
 		return fmt.Errorf(errDecode, secretRef.RemoteRef.DecodingStrategy, err)
 	}
@@ -178,13 +178,13 @@ func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string
 		generatorState.EnqueueSetLatest(ctx, generatorStateKey(i), namespace, generatorResource, impl, newState)
 	}
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
@@ -212,25 +212,25 @@ func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *e
 	}
 
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 	if len(remoteRef.Rewrite) == 0 {
-		secretMap, err = utils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap)
+		secretMap, err = esutils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap)
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, remoteRef.Extract.ConversionStrategy, err)
 		}
 	}
 
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
 
 	// decode the secrets if needed
-	secretMap, err = utils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap)
+	secretMap, err = esutils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errDecode, remoteRef.Extract.DecodingStrategy, err)
 	}
@@ -253,25 +253,25 @@ func (r *Reconciler) handleFindAllSecrets(ctx context.Context, externalSecret *e
 	}
 
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 	if len(remoteRef.Rewrite) == 0 {
-		secretMap, err = utils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap)
+		secretMap, err = esutils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap)
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, remoteRef.Find.ConversionStrategy, err)
 		}
 	}
 
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
 
 	// decode the secrets if needed
-	secretMap, err = utils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap)
+	secretMap, err = esutils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap)
 	if err != nil {
 		return nil, fmt.Errorf(errDecode, remoteRef.Find.DecodingStrategy, err)
 	}

pkg/controllers/externalsecret/externalsecret_controller_template.go

@@ -26,13 +26,13 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/template"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 )
 
-// merge template in the following order:
+// ApplyTemplate merges templates in the following order:
 // * template.Data (highest precedence)
 // * template.TemplateFrom
 // * secret via es.data or es.dataFrom (if template.MergePolicy is Merge, or there is no template)
@@ -137,14 +137,14 @@ func setMetadata(secret *v1.Secret, es *esv1.ExternalSecret) error {
 
 	// if no template is defined, copy labels and annotations from the ExternalSecret
 	if es.Spec.Target.Template == nil {
-		utils.MergeStringMap(secret.ObjectMeta.Labels, es.ObjectMeta.Labels)
-		utils.MergeStringMap(secret.ObjectMeta.Annotations, es.ObjectMeta.Annotations)
+		esutils.MergeStringMap(secret.ObjectMeta.Labels, es.ObjectMeta.Labels)
+		esutils.MergeStringMap(secret.ObjectMeta.Annotations, es.ObjectMeta.Annotations)
 		return nil
 	}
 
 	// copy labels and annotations from the template
-	utils.MergeStringMap(secret.ObjectMeta.Labels, es.Spec.Target.Template.Metadata.Labels)
-	utils.MergeStringMap(secret.ObjectMeta.Annotations, es.Spec.Target.Template.Metadata.Annotations)
+	esutils.MergeStringMap(secret.ObjectMeta.Labels, es.Spec.Target.Template.Metadata.Labels)
+	esutils.MergeStringMap(secret.ObjectMeta.Annotations, es.Spec.Target.Template.Metadata.Annotations)
 
 	// add finalizers from the template
 	if secret.ObjectMeta.DeletionTimestamp.IsZero() {

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -44,8 +44,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -162,7 +162,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 						esv1.LabelManaged: esv1.LabelManagedValue,
 					},
 					Annotations: map[string]string{
-						esv1.AnnotationDataHash: utils.ObjectHash(validData),
+						esv1.AnnotationDataHash: esutils.ObjectHash(validData),
 					},
 				},
 				Data: validData,
@@ -286,7 +286,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				}
 				return true
 			},
-			checkExternalSecret: func(es *esv1.ExternalSecret) {
+			checkExternalSecret: func(_ *esv1.ExternalSecret) {
 				// noop by default
 			},
 			secretStore: &esv1.SecretStore{
@@ -343,7 +343,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	syncBigNames := func(tc *testCase) {
 		tc.targetSecretName = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
 		tc.externalSecret.Spec.Target.Name = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1.ExternalSecret, _ *v1.Secret) {
 			// check binding secret on external secret
 			Expect(es.Status.Binding.Name).To(Equal(tc.externalSecret.Spec.Target.Name))
 		}
@@ -376,7 +376,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
 
@@ -409,7 +409,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
@@ -439,7 +439,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}, client.FieldOwner(ExternalSecretFQDN))).To(Succeed())
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).NotTo(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
@@ -450,7 +450,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	checkPrometheusCounters := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, _ *v1.Secret) {
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
 			Eventually(func() bool {
@@ -493,7 +493,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -538,7 +538,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// Overwrite the secret value to check if the change kicks reconciliation and overwrites it again
 			Expect(k8sClient.Update(context.Background(), &v1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
@@ -570,7 +570,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			oldResourceVersion := secret.ResourceVersion
 
 			cleanSecret := secret.DeepCopy()
@@ -617,7 +617,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -647,7 +647,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check that value stays the same
 			Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
 
@@ -694,7 +694,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 		}
@@ -733,7 +733,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 		}
@@ -769,7 +769,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 	}
 
-	ignoreMismatchControllerForGeneratorRef := func(tc *testCase) {
+	ignoreMismatchControllerForGeneratorRef := func(_ *testCase) {
 		const secretKey = "somekey"
 		const secretVal = "someValue"
 
@@ -862,7 +862,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("bar"))
 			Expect(string(secret.Data["foo2"])).To(Equal("bar2"))
@@ -934,7 +934,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 		}
@@ -1019,7 +1019,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetProperty": []byte(FooValue),
 			"bar":            []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -1092,7 +1092,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetKey":   []byte(FooValue),
 			"targetValue": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["map-foo-value-cm"])).To(Equal(BarValue))
 			Expect(string(secret.Data["map-foo-value-sec"])).To(Equal(BarValue))
@@ -1140,7 +1140,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetValue": []byte(BarValue),
 			"complex":     []byte("{\"nested\":\"json\",\"can\":\"be\",\"templated\":\"successfully\"}"),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["map-foo-value-literal"])).To(Equal(BarValue))
 			Expect(string(secret.Data["nested"])).To(Equal("json"))
@@ -1261,7 +1261,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -1300,7 +1300,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -1342,7 +1342,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -1372,7 +1372,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -1412,7 +1412,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyDelete
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 
 			// update provider secret
@@ -1459,7 +1459,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyRetain
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 
 			sec := &v1.Secret{}
@@ -1540,7 +1540,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -1572,7 +1572,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		tc.externalSecret.Spec.Target.CreationPolicy = esv1.CreatePolicyOrphan
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -1623,7 +1623,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
@@ -1666,7 +1666,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1715,7 +1715,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1742,7 +1742,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@@ -1773,7 +1773,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
@@ -1797,7 +1797,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@@ -1826,7 +1826,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"tls.crt": []byte(FooValue),
 			"tls.key": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
 			// check values
 			Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
@@ -1885,7 +1885,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1911,7 +1911,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1930,7 +1930,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			cond := GetExternalSecretCondition(es.Status, esv1.ExternalSecretReady)
 			return cond == nil
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			// Condition True and False should be 0, since the Condition was not created
 			Eventually(func() float64 {
 				Expect(testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
@@ -1969,7 +1969,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 
 			// check values
 			oldUID := secret.UID
@@ -1998,8 +1998,8 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	checkSecretDataHashAnnotation := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
-			expectedHash := utils.ObjectHash(map[string][]byte{
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
+			expectedHash := esutils.ObjectHash(map[string][]byte{
 				targetProp: []byte(secretVal),
 			})
 			Expect(secret.Annotations[esv1.AnnotationDataHash]).To(Equal(expectedHash))
@@ -2023,8 +2023,8 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
-			expectedHash := utils.ObjectHash(map[string][]byte{
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
+			expectedHash := esutils.ObjectHash(map[string][]byte{
 				existingKey: []byte(existingVal),
 				targetProp:  []byte(secretVal),
 			})
@@ -2039,7 +2039,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		fakeProvider.WithGetSecretMap(fakeData, nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			oldHash := secret.Annotations[esv1.AnnotationDataHash]
 			oldResourceVersion := secret.ResourceVersion
 			Expect(oldHash).NotTo(BeEmpty())
@@ -2094,9 +2094,9 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				if err != nil {
 					return false
 				}
-				_, ok := refreshedSecret.Data["key"]
-				return !ok && bytes.Equal(refreshedSecret.Data["new"], []byte("foo"))
-			}, timeout, interval).Should(BeTrue())
+				// ensure new data value exist
+				return string(refreshedSecret.Data["new"]) == "foo"
+			}, time.Second*10, time.Millisecond*200).Should(BeTrue())
 		}
 	}
 	// When we update the template, remaining keys should not be preserved
@@ -2110,7 +2110,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				"key": `{{.targetProperty}}-foo`,
 			},
 		}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["key"]).To(Equal([]byte("someValue-foo")))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
@@ -2134,7 +2134,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 
 	// Secret is created when ClusterSecretStore has no conditions
 	noConditionsSecretCreated := func(tc *testCase) {
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2201,7 +2201,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2213,7 +2213,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2243,7 +2243,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2276,7 +2276,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2292,7 +2292,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 		}
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 	}
@@ -2453,7 +2453,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 				},
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			// this should not refresh, rv matches object
 			Expect(shouldRefresh(es)).To(BeFalse())
 
@@ -2477,7 +2477,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 				},
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			// this should not refresh, rv matches object
 			Expect(shouldRefresh(es)).To(BeFalse())
 
@@ -2498,7 +2498,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 				},
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 			// update gen -> refresh
@@ -2517,7 +2517,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				Status: esv1.ExternalSecretStatus{},
 			}
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 
@@ -2534,7 +2534,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				},
 			}
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 
@@ -2549,20 +2549,20 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				Status: esv1.ExternalSecretStatus{},
 			}
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 
 	})
 	Context("objectmeta hash", func() {
 		It("should produce different hashes for different k/v pairs", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Annotations: map[string]string{
 					"foo": "bar",
 				},
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Annotations: map[string]string{
 					"foo": "bing",
@@ -2572,7 +2572,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should produce different hashes for different generations but same label/annotations", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Annotations: map[string]string{
 					"foo": "bar",
@@ -2581,7 +2581,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					"foo": "bar",
 				},
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 2,
 				Annotations: map[string]string{
 					"foo": "bar",
@@ -2594,21 +2594,21 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should produce the same hash for the same k/v pairs", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 			})
 			Expect(h1).To(Equal(h2))
 
-			h1 = util.HashMeta(metav1.ObjectMeta{
+			h1 = ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Annotations: map[string]string{
 					"foo": "bar",
 				},
 			})
-			h2 = util.HashMeta(metav1.ObjectMeta{
+			h2 = ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Annotations: map[string]string{
 					"foo": "bar",
@@ -2718,7 +2718,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 
@@ -2738,7 +2738,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 			es.Annotations["foo"] = "bar1"
@@ -2766,7 +2766,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 
 			// Initially should not refresh
 			Expect(shouldRefresh(es)).To(BeFalse())
@@ -2799,7 +2799,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 					RefreshTime: metav1.Now(),
 				},
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 			// When refresh interval has passed
@@ -2823,7 +2823,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 
@@ -2858,7 +2858,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 
@@ -2874,7 +2874,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				Status: esv1.ExternalSecretStatus{},
 			}
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 
@@ -2892,7 +2892,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 
@@ -2918,9 +2918,10 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 					RefreshTime:           metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
 				},
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
+			// Update the spec by adding a new data item
 			es.ObjectMeta.Generation = 2
 			es.Spec.Data = append(es.Spec.Data, esv1.ExternalSecretData{
 				SecretKey: "key2",
@@ -2955,7 +2956,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 			// Update the spec by adding a new data item
@@ -2992,7 +2993,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 			}
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 			// Update labels and annotations

pkg/controllers/generatorstate/generatorstate_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package generatorstate implements controllers for managing GeneratorState resources
 package generatorstate
 
 import (
@@ -36,6 +37,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Reconciler reconciles a GeneratorState object, managing its lifecycle and cleanup.
 type Reconciler struct {
 	client.Client
 
@@ -47,6 +49,11 @@ type Reconciler struct {
 
 const generatorStateFinalizer = "generatorstate.externalsecrets.io/finalizer"
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	generatorState := &genv1alpha1.GeneratorState{}
 	err = r.Get(ctx, req.NamespacedName, generatorState)

pkg/controllers/generatorstate/util.go

@@ -23,7 +23,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
-// NewgeneratorstateCondition a set of default options for creating an GeneratorState Condition.
+// NewGeneratorStateCondition a set of default options for creating an GeneratorState Condition.
 func NewGeneratorStateCondition(condType genv1alpha1.GeneratorStateConditionType, status v1.ConditionStatus, reason, message string) *genv1alpha1.GeneratorStateStatusCondition {
 	return &genv1alpha1.GeneratorStateStatusCondition{
 		Type:               condType,
@@ -34,7 +34,7 @@ func NewGeneratorStateCondition(condType genv1alpha1.GeneratorStateConditionType
 	}
 }
 
-// GetgeneratorstateCondition returns the condition with the provided type.
+// GetGeneratorStateCondition returns the condition with the provided type.
 func GetGeneratorStateCondition(status genv1alpha1.GeneratorStateStatus, condType genv1alpha1.GeneratorStateConditionType) *genv1alpha1.GeneratorStateStatusCondition {
 	for _, c := range status.Conditions {
 		if c.Type == condType {
@@ -44,8 +44,7 @@ func GetGeneratorStateCondition(status genv1alpha1.GeneratorStateStatus, condTyp
 	return nil
 }
 
-// SetGeneratorStateCondition updates the GeneratorState to include the provided
-// condition.
+// SetGeneratorStateCondition updates the GeneratorState to include the provided condition.
 func SetGeneratorStateCondition(gs *genv1alpha1.GeneratorState, condition genv1alpha1.GeneratorStateStatusCondition) {
 	currentCond := GetGeneratorStateCondition(gs.Status, condition.Type)
 

pkg/controllers/metrics/labels.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package metrics provides utilities for metrics used by controllers.
 package metrics
 
 import (
@@ -23,12 +24,16 @@ import (
 )
 
 var (
+	// NonConditionMetricLabelNames are the label names used for non-conditional metrics.
 	NonConditionMetricLabelNames = make([]string, 0)
 
+	// ConditionMetricLabelNames are the label names used for conditional metrics.
 	ConditionMetricLabelNames = make([]string, 0)
 
+	// NonConditionMetricLabels holds the actual label values for non-conditional metrics.
 	NonConditionMetricLabels = make(map[string]string)
 
+	// ConditionMetricLabels holds the actual label values for conditional metrics.
 	ConditionMetricLabels = make(map[string]string)
 )
 
@@ -94,10 +99,12 @@ func RefineLabels(promLabels prometheus.Labels, newLabels map[string]string) pro
 	return refinement
 }
 
+// RefineNonConditionMetricLabels refines the non-conditional metric labels with the given labels.
 func RefineNonConditionMetricLabels(labels map[string]string) prometheus.Labels {
 	return RefineLabels(NonConditionMetricLabels, labels)
 }
 
+// RefineConditionMetricLabels refines the conditional metric labels with the given labels.
 func RefineConditionMetricLabels(labels map[string]string) prometheus.Labels {
 	return RefineLabels(ConditionMetricLabels, labels)
 }

pkg/controllers/pushsecret/psmetrics/psmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package psmetrics provides metrics for PushSecret controller.
 package psmetrics
 
 import (
@@ -26,9 +27,14 @@ import (
 )
 
 const (
-	PushSecretSubsystem            = "pushsecret"
+	// PushSecretSubsystem is the subsystem name for PushSecret metrics.
+	PushSecretSubsystem = "pushsecret"
+
+	// PushSecretReconcileDurationKey is the key for the reconcile duration metric.
 	PushSecretReconcileDurationKey = "reconcile_duration"
-	PushSecretStatusConditionKey   = "status_condition"
+
+	// PushSecretStatusConditionKey is the key for the status condition metric.
+	PushSecretStatusConditionKey = "status_condition"
 )
 
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
@@ -56,6 +62,7 @@ func SetUpMetrics() {
 	}
 }
 
+// UpdatePushSecretCondition updates the condition metrics for a PushSecret.
 func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecretStatusCondition, value float64) {
 	psInfo := make(map[string]string)
 	psInfo["name"] = ps.Name
@@ -99,6 +106,7 @@ func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecret
 		})).Set(value)
 }
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package pushsecret implements the controller for managing PushSecret resources.
 package pushsecret
 
 import (
@@ -44,11 +45,12 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/util/locks"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 
+	// Load registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 )
 
@@ -64,6 +66,9 @@ const (
 	errCloudNotUpdateFinalizer = "could not update finalizers: %w"
 )
 
+// Reconciler is the controller for PushSecret resources.
+// It manages the lifecycle of PushSecrets, ensuring that secrets are pushed to
+// specified secret stores according to the defined policies and templates.
 type Reconciler struct {
 	client.Client
 	Log             logr.Logger
@@ -74,6 +79,9 @@ type Reconciler struct {
 	ControllerClass string
 }
 
+// SetupWithManager sets up the controller with the Manager.
+// It configures the controller to watch PushSecret resources and
+// manages indexing for efficient lookups based on secret stores and deletion policies.
 func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("pushsecret")
 
@@ -111,6 +119,10 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opt
 		Complete(r)
 }
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("pushsecret", req.NamespacedName)
 
@@ -191,7 +203,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}
 	if !shouldRefresh(ps) {
 		refreshInt = (ps.Spec.RefreshInterval.Duration - timeSinceLastRefresh) + 5*time.Second
-		log.V(1).Info("skipping refresh", "rv", util.GetResourceVersion(ps.ObjectMeta), "nr", refreshInt.Seconds())
+		log.V(1).Info("skipping refresh", "rv", ctrlutil.GetResourceVersion(ps.ObjectMeta), "nr", refreshInt.Seconds())
 		return ctrl.Result{RequeueAfter: refreshInt}, nil
 	}
 
@@ -269,7 +281,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 }
 
 func shouldRefresh(ps esapi.PushSecret) bool {
-	if ps.Status.SyncedResourceVersion != util.GetResourceVersion(ps.ObjectMeta) {
+	if ps.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(ps.ObjectMeta) {
 		return true
 	}
 	if ps.Spec.RefreshInterval.Duration == 0 && ps.Status.SyncedResourceVersion != "" {
@@ -299,7 +311,7 @@ func (r *Reconciler) markAsDone(ps *esapi.PushSecret, secrets esapi.SyncedPushSe
 	SetPushSecretCondition(ps, *cond)
 	r.setSecrets(ps, secrets)
 	ps.Status.RefreshTime = metav1.NewTime(start)
-	ps.Status.SyncedResourceVersion = util.GetResourceVersion(ps.ObjectMeta)
+	ps.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(ps.ObjectMeta)
 	r.recorder.Event(ps, v1.EventTypeNormal, esapi.ReasonSynced, msg)
 }
 
@@ -323,6 +335,9 @@ func mergeSecretState(newMap, old esapi.SyncedPushSecretsMap) esapi.SyncedPushSe
 	return out
 }
 
+// DeleteSecretFromProviders removes secrets from providers that are no longer needed.
+// It compares the existing synced secrets in the PushSecret status with the new desired state,
+// and deletes any secrets that are no longer present in the new state.
 func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 	out := mergeSecretState(newMap, ps.Status.SyncedPushSecrets)
 	for storeName, oldData := range ps.Status.SyncedPushSecrets {
@@ -357,6 +372,7 @@ func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.Pu
 	return out, nil
 }
 
+// DeleteAllSecretsFromStore removes all secrets from a given secret store.
 func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.SecretsClient, data map[string]esapi.PushSecretData) error {
 	for _, v := range data {
 		err := r.DeleteSecretFromStore(ctx, client, v)
@@ -367,10 +383,14 @@ func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.
 	return nil
 }
 
+// DeleteSecretFromStore removes a specific secret from a given secret store.
 func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client esv1.SecretsClient, data esapi.PushSecretData) error {
 	return client.DeleteSecret(ctx, data.Match.RemoteRef)
 }
 
+// PushSecretToProviders pushes the secret data to the specified secret stores.
+// It iterates over each store and handles the push operation according to the
+// defined update policies and conversion strategies.
 func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]esv1.GenericStore, ps esapi.PushSecret, secret *v1.Secret, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 	out := make(esapi.SyncedPushSecretsMap)
 	for ref, store := range stores {
@@ -395,7 +415,7 @@ func (r *Reconciler) handlePushSecretDataForStore(ctx context.Context, ps esapi.
 		return out, fmt.Errorf("could not get secrets client for store %v: %w", storeName, err)
 	}
 	for _, data := range ps.Spec.Data {
-		secretData, err := utils.ReverseKeys(data.ConversionStrategy, originalSecretData)
+		secretData, err := esutils.ReverseKeys(data.ConversionStrategy, originalSecretData)
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, err)
 		}
@@ -513,6 +533,9 @@ func (r *Reconciler) resolveSecretFromGenerator(ctx context.Context, namespace s
 	}, err
 }
 
+// GetSecretStores retrieves the SecretStore and ClusterSecretStore resources
+// referenced in the PushSecret. It supports both direct references by name
+// and label selectors to find multiple stores.
 func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]esv1.GenericStore, error) {
 	stores := make(map[esapi.PushSecretStoreRef]esv1.GenericStore)
 	for _, refStore := range ps.Spec.SecretStoreRefs {
@@ -583,6 +606,7 @@ func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.
 	return &store, nil
 }
 
+// NewPushSecretCondition creates a new PushSecret condition.
 func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.ConditionStatus, reason, message string) *esapi.PushSecretStatusCondition {
 	return &esapi.PushSecretStatusCondition{
 		Type:               condType,
@@ -593,6 +617,7 @@ func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.Co
 	}
 }
 
+// SetPushSecretCondition updates the PushSecret to include the provided condition.
 func SetPushSecretCondition(ps *esapi.PushSecret, condition esapi.PushSecretStatusCondition) {
 	currentCond := GetPushSecretCondition(ps.Status.Conditions, condition.Type)
 	if currentCond != nil && currentCond.Status == condition.Status &&

pkg/controllers/pushsecret/pushsecret_controller_template.go

@@ -26,8 +26,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/template"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 )
@@ -106,8 +106,8 @@ func setMetadata(secret *v1.Secret, ps *v1alpha1.PushSecret) error {
 	}
 
 	secret.Type = ps.Spec.Template.Type
-	utils.MergeStringMap(secret.ObjectMeta.Labels, ps.Spec.Template.Metadata.Labels)
-	utils.MergeStringMap(secret.ObjectMeta.Annotations, ps.Spec.Template.Metadata.Annotations)
+	esutils.MergeStringMap(secret.ObjectMeta.Labels, ps.Spec.Template.Metadata.Labels)
+	esutils.MergeStringMap(secret.ObjectMeta.Annotations, ps.Spec.Template.Metadata.Annotations)
 
 	return nil
 }

pkg/controllers/pushsecret/pushsecret_controller_test.go

@@ -249,7 +249,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
@@ -279,7 +279,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
@@ -322,7 +322,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
@@ -373,12 +373,12 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 			return false, errors.New("don't know")
 		}
 		tc.pushsecret.Spec.UpdatePolicy = v1alpha1.PushSecretUpdatePolicyIfNotExists
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 				By("checking if sync failed if secret existence cannot be verified in Provider")
 				expected := v1alpha1.PushSecretStatusCondition{
@@ -442,7 +442,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 			},
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 				By("checking if Provider value got updated")
 				setSecretArgs := fakeProvider.GetPushSecretData()
@@ -506,7 +506,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 			},
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 				By("checking if Provider value got updated")
 				setSecretArgs := fakeProvider.GetPushSecretData()
@@ -556,7 +556,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 			},
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -612,7 +612,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 			},
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyNone
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -667,7 +667,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 			},
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -696,7 +696,7 @@ var _ = Describe("PushSecret controller", func() {
 			return errors.New("boom")
 		}
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			secondStore := &esv1.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "new-store",
@@ -738,7 +738,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			secondStore := &esv1.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "new-store",
@@ -956,7 +956,7 @@ var _ = Describe("PushSecret controller", func() {
 			Kind:       "Fake",
 			Name:       "test",
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			providerValue := setSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
 			expected := v1alpha1.PushSecretStatusCondition{
@@ -1041,7 +1041,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		tc.secret = nil
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1057,7 +1057,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		tc.pushsecret.Spec.Data[0].Match.SecretKey = "unexisting"
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1073,7 +1073,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 		}
 		tc.store = nil
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1091,7 +1091,7 @@ var _ = Describe("PushSecret controller", func() {
 		tc.store = nil
 		tc.pushsecret.Spec.SecretStoreRefs[0].Kind = "ClusterSecretStore"
 		tc.pushsecret.Spec.SecretStoreRefs[0].Name = "unexisting"
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1106,7 +1106,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 			return errors.New("boom")
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1118,10 +1118,10 @@ var _ = Describe("PushSecret controller", func() {
 	}
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	newClientFail := func(tc *testCase) {
-		fakeProvider.NewFn = func(context.Context, esv1.GenericStore, client.Client, string) (esv1.SecretsClient, error) {
+		fakeProvider.NewFn = func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 			return nil, errors.New("boom")
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
@@ -1169,7 +1169,7 @@ var _ = Describe("PushSecret controller", func() {
 		}
 		// Should not select the SecretStore in a different namespace
 		// (if so, it would fail to find it in the same namespace and be reflected in the status)
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			// Assert that the status is never updated (no SecretStores found)
 			Consistently(func() bool {
 				err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(ps), ps)
@@ -1209,7 +1209,7 @@ var _ = Describe("PushSecret controller", func() {
 			},
 		}
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(_ *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 				// We should not be able to reference a secret across namespaces,
 				// the map should be empty.
@@ -1495,7 +1495,7 @@ var _ = Describe("PushSecret Controller Un/Managed Stores", func() {
 			},
 		}
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			return len(ps.Status.Conditions) == 0
 		}
 	}

pkg/controllers/secretstore/client_manager.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package secretstore implements the controllers for managing SecretStore resources
 package secretstore
 
 import (
@@ -77,6 +78,9 @@ func NewManager(ctrlClient client.Client, controllerClass string, enableFloodgat
 	}
 }
 
+// GetFromStore returns a provider client from the given store.
+// Do not close the client returned from this func, instead close
+// the manager once you're done with reconciling the external secret.
 func (m *Manager) GetFromStore(ctx context.Context, store esv1.GenericStore, namespace string) (esv1.SecretsClient, error) {
 	storeProvider, err := esv1.GetProvider(store)
 	if err != nil {

pkg/controllers/secretstore/client_manager_test.go

@@ -142,7 +142,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: defaultStore.Namespace,
 				sourceRef: nil,
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				return clientA, nil
 			},
 			verify: func(sc esv1.SecretsClient) {
@@ -184,7 +184,7 @@ func TestManagerGet(t *testing.T) {
 				},
 				namespace: defaultStore.Namespace,
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				return clientB, nil
 			},
 			verify: func(sc esv1.SecretsClient) {
@@ -226,7 +226,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: defaultStore.Namespace,
 				sourceRef: nil,
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				// constructor should not be called,
 				// the client from the cache should be returned instead
 				t.Fail()
@@ -272,7 +272,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: otherStore.Namespace,
 				sourceRef: nil,
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				// because there is a store mismatch
 				// we create a new client
 				return clientB, nil

pkg/controllers/secretstore/clustersecretstore_controller.go

@@ -50,6 +50,10 @@ type ClusterStoreReconciler struct {
 	PushSecretEnabled bool
 }
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *ClusterStoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("clustersecretstore", req.NamespacedName)
 

pkg/controllers/secretstore/common.go

@@ -36,16 +36,17 @@ import (
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore/metrics"
 
+	// Load registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 )
 
 const (
-	errStoreClient         = "could not get provider client: %w"
-	errValidationFailed    = "could not validate provider: %w"
-	errValidationUnknown   = "could not determine validation status"
-	errPatchStatus         = "unable to patch status: %w"
-	errUnableCreateClient  = "unable to create client"
-	errUnableValidateStore = "unable to validate store"
+	errStoreClient          = "could not get provider client: %w"
+	errValidationFailed     = "could not validate provider: %w"
+	errValidationUnknownMsg = "could not determine validation status"
+	errPatchStatus          = "unable to patch status: %w"
+	errUnableCreateClient   = "unable to create client"
+	errUnableValidateStore  = "unable to validate store"
 
 	msgStoreValidated     = "store validated"
 	msgStoreNotMaintained = "store isn't currently maintained. Please plan and prepare accordingly."
@@ -54,8 +55,9 @@ const (
 	secretStoreFinalizer = "secretstore.externalsecrets.io/finalizer"
 )
 
-var validationUnknownError = errors.New("could not determine validation status")
+var errValidationUnknown = errors.New(errValidationUnknownMsg)
 
+// Opts holds the options for the reconcile function.
 type Opts struct {
 	ControllerClass string
 	GaugeVecGetter  metrics.GaugeVevGetter
@@ -107,7 +109,7 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 		log.Error(err, "unable to validate store")
 		// in case of validation status unknown, validateStore will mark
 		// the store as ready but we should show ReasonValidationUnknown
-		if errors.Is(err, validationUnknownError) {
+		if errors.Is(err, errValidationUnknown) {
 			return ctrl.Result{RequeueAfter: requeueInterval}, nil
 		}
 		return ctrl.Result{}, err
@@ -161,10 +163,10 @@ func validateStore(ctx context.Context, namespace, controllerClass string, store
 	validationResult, err := cl.Validate()
 	if err != nil {
 		if validationResult == esapi.ValidationResultUnknown {
-			cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionTrue, esapi.ReasonValidationUnknown, errValidationUnknown)
+			cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionTrue, esapi.ReasonValidationUnknown, errValidationUnknownMsg)
 			SetExternalSecretCondition(store, *cond, gaugeVecGetter)
 			recorder.Event(store, v1.EventTypeWarning, esapi.ReasonValidationUnknown, err.Error())
-			return validationUnknownError
+			return errValidationUnknown
 		}
 		cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionFalse, esapi.ReasonInvalidProviderConfig, errUnableValidateStore)
 		SetExternalSecretCondition(store, *cond, gaugeVecGetter)

pkg/controllers/secretstore/cssmetrics/cssmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package cssmetrics provides metrics for ClusterSecretStore controllers.
 package cssmetrics
 
 import (
@@ -25,7 +26,10 @@ import (
 )
 
 const (
-	ClusterSecretStoreSubsystem            = "clustersecretstore"
+	// ClusterSecretStoreSubsystem is the subsystem name for ClusterSecretStore metrics.
+	ClusterSecretStoreSubsystem = "clustersecretstore"
+
+	// ClusterSecretStoreReconcileDurationKey is the key for the reconcile duration metric.
 	ClusterSecretStoreReconcileDurationKey = "reconcile_duration"
 )
 
@@ -54,6 +58,7 @@ func SetUpMetrics() {
 	}
 }
 
+// GetGaugeVec retrieves a Prometheus GaugeVec based on the provided key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }

pkg/controllers/secretstore/metrics/metrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package metrics provides metrics for SecretStore controllers.
 package metrics
 
 import (
@@ -24,10 +25,13 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 
+// StatusConditionKey is the key for the status condition metric.
 const StatusConditionKey = "status_condition"
 
+// GaugeVevGetter is a function type that retrieves a Prometheus GaugeVec based on a provided key.
 type GaugeVevGetter func(key string) *prometheus.GaugeVec
 
+// UpdateStatusCondition updates the condition metrics for a SecretStore.
 func UpdateStatusCondition(ss esapi.GenericStore, condition esapi.SecretStoreStatusCondition, gaugeVecGetter GaugeVevGetter) {
 	ssInfo := make(map[string]string)
 	ssInfo["name"] = ss.GetName()

pkg/controllers/secretstore/secretstore_controller.go

@@ -50,6 +50,10 @@ type StoreReconciler struct {
 	PushSecretEnabled bool
 }
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *StoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("secretstore", req.NamespacedName)
 

pkg/controllers/secretstore/ssmetrics/ssmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package ssmetrics provides metrics for SecretStore controllers.
 package ssmetrics
 
 import (
@@ -25,7 +26,10 @@ import (
 )
 
 const (
-	SecretStoreSubsystem            = "secretstore"
+	// SecretStoreSubsystem is the subsystem name for SecretStore metrics.
+	SecretStoreSubsystem = "secretstore"
+
+	// SecretStoreReconcileDurationKey is the key for the reconcile duration metric.
 	SecretStoreReconcileDurationKey = "reconcile_duration"
 )
 
@@ -54,6 +58,7 @@ func SetUpMetrics() {
 	}
 }
 
+// GetGaugeVec returns the GaugeVec for the given key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 }

pkg/controllers/templating/parser.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package templating provides functionality for templating secret data.
 package templating
 
 import (
@@ -40,6 +41,7 @@ var (
 	errExecTpl          = "could not execute template: %w"
 )
 
+// Parser is responsible for parsing and merging templates into a target secret.
 type Parser struct {
 	Exec         template.ExecFunc
 	DataMap      map[string][]byte
@@ -50,6 +52,7 @@ type Parser struct {
 	TemplateFromSecret    *v1.Secret
 }
 
+// MergeConfigMap merges the configmap template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeConfigMap(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 	if tpl.ConfigMap == nil {
 		return nil
@@ -88,6 +91,7 @@ func (p *Parser) MergeConfigMap(ctx context.Context, namespace string, tpl esv1.
 	return nil
 }
 
+// MergeSecret merges the secret template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeSecret(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 	if tpl.Secret == nil {
 		return nil
@@ -126,6 +130,7 @@ func (p *Parser) MergeSecret(ctx context.Context, namespace string, tpl esv1.Tem
 	return nil
 }
 
+// MergeLiteral merges the literal template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeLiteral(_ context.Context, tpl esv1.TemplateFrom) error {
 	if tpl.Literal == nil {
 		return nil
@@ -135,6 +140,7 @@ func (p *Parser) MergeLiteral(_ context.Context, tpl esv1.TemplateFrom) error {
 	return p.Exec(out, p.DataMap, esv1.TemplateScopeKeysAndValues, tpl.Target, p.TargetSecret)
 }
 
+// MergeTemplateFrom merges all templates specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeTemplateFrom(ctx context.Context, namespace string, template *esv1.ExternalSecretTemplate) error {
 	if template == nil {
 		return nil
@@ -157,6 +163,7 @@ func (p *Parser) MergeTemplateFrom(ctx context.Context, namespace string, templa
 	return nil
 }
 
+// MergeMap merges the given map of templates into the target secret.
 func (p *Parser) MergeMap(tplMap map[string]string, target esv1.TemplateTarget) error {
 	byteMap := make(map[string][]byte)
 	for k, v := range tplMap {
@@ -169,6 +176,7 @@ func (p *Parser) MergeMap(tplMap map[string]string, target esv1.TemplateTarget)
 	return nil
 }
 
+// GetManagedAnnotationKeys returns the keys of the annotations managed by the given field owner.
 func GetManagedAnnotationKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 		metadataFields, exists := fields["f:metadata"]
@@ -195,6 +203,9 @@ func GetManagedAnnotationKeys(secret *v1.Secret, fieldOwner string) ([]string, e
 	})
 }
 
+// GetManagedLabelKeys returns the keys of labels that are managed by the given field owner.
+// It checks the ManagedFields of the secret for entries with the specified field owner
+// and extracts the keys of the labels from the fields managed by that owner.
 func GetManagedLabelKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 		metadataFields, exists := fields["f:metadata"]

pkg/controllers/util/util.go

@@ -13,26 +13,31 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package util
+
+// Package ctrlutil provides utility functions for controllers.
+package ctrlutil
 
 import (
 	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
+// GetResourceVersion returns a string representing the resource version of the object.
+// It is a combination of the generation and a hash of the labels and annotations.
 func GetResourceVersion(meta metav1.ObjectMeta) string {
 	return fmt.Sprintf("%d-%s", meta.GetGeneration(), HashMeta(meta))
 }
 
+// HashMeta returns a hash of the metadata's labels and annotations.
 func HashMeta(m metav1.ObjectMeta) string {
 	type meta struct {
 		annotations map[string]string
 		labels      map[string]string
 	}
-	return utils.ObjectHash(meta{
+	return esutils.ObjectHash(meta{
 		annotations: m.Annotations,
 		labels:      m.Labels,
 	})

pkg/controllers/webhookconfig/webhookconfig.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package webhookconfig contains the controller for the WebhookConfig resource.
 package webhookconfig
 
 import (
@@ -25,7 +26,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/go-logr/logr"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	v1 "k8s.io/api/core/v1"
@@ -41,6 +42,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/constants"
 )
 
+// Reconciler reconciles a ValidatingWebhookConfiguration object
+// and updates it with the CA bundle from the given secret.
 type Reconciler struct {
 	client.Client
 	Log             logr.Logger
@@ -61,6 +64,7 @@ type Reconciler struct {
 	webhookReady   bool
 }
 
+// Opts are the options for the webhookconfig controller Reconciler.
 type Opts struct {
 	SvcName         string
 	SvcNamespace    string
@@ -69,6 +73,9 @@ type Opts struct {
 	RequeueInterval time.Duration
 }
 
+// New returns a new Reconciler.
+// The controller will watch ValidatingWebhookConfiguration resources
+// and update them with the CA bundle from the given secret.
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, log logr.Logger, opts Opts) *Reconciler {
 	return &Reconciler{
 		Client:          k8sClient,
@@ -87,6 +94,7 @@ func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan stru
 }
 
 const (
+	// ReasonUpdateFailed is used when we fail to update the webhook config.
 	ReasonUpdateFailed = "UpdateFailed"
 	errWebhookNotReady = "webhook not ready"
 	errCACertNotReady  = "ca cert not yet ready"
@@ -94,6 +102,10 @@ const (
 	caCertName = "ca.crt"
 )
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// In this case, we reconcile ValidatingWebhookConfiguration resources
+// that are labeled with the well-known label key and value.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("Webhookconfig", req.NamespacedName)
 	var cfg admissionregistration.ValidatingWebhookConfiguration
@@ -130,6 +142,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}, nil
 }
 
+// SetupWithManager sets up the controller with the Manager.
+// Also initializes the event recorder.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("validating-webhook-configuration")
 	return ctrl.NewControllerManagedBy(mgr).
@@ -138,6 +152,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Complete(r)
 }
 
+// ReadyCheck does a readiness check for the webhook using the endpoint slices.
 func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 	// skip readiness check if we're not leader
 	// as we depend on caches and being able to reconcile Webhooks
@@ -155,7 +170,7 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 		return errors.New(errWebhookNotReady)
 	}
 
-	return utils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
+	return esutils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
 }
 
 // reads the ca cert and updates the webhook config.

pkg/utils/metadata/metadata.go → pkg/esutils/metadata/metadata.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package metadata provides functionality for handling metadata for pushed secrets.
 package metadata
 
 import (
@@ -24,14 +25,21 @@ import (
 )
 
 const (
+	// APIVersion is the apiVersion for PushSecretMetadata.
 	APIVersion = "kubernetes.external-secrets.io/v1alpha1"
-	Kind       = "PushSecretMetadata"
+	// Kind is the kind for PushSecretMetadata.
+	Kind = "PushSecretMetadata"
 )
 
+// PushSecretMetadata represents metadata associated with a pushed secret.
+// T represents the type of custom metadata that can be associated with the secret.
 type PushSecretMetadata[T any] struct {
-	Kind       string `json:"kind"`
+	// Kind is the type of the resource.
+	Kind string `json:"kind"`
+	// APIVersion is the version of the API.
 	APIVersion string `json:"apiVersion"`
-	Spec       T      `json:"spec,omitempty"`
+	// Spec holds the specific metadata for the pushed secret.
+	Spec T `json:"spec,omitempty"`
 }
 
 // ParseMetadataParameters parses metadata with an arbitrary Spec.

pkg/utils/resolvers/secret_ref.go → pkg/esutils/resolvers/secret_ref.go

@@ -30,7 +30,7 @@ import (
 
 const (
 
-	// This is used to determine if a store is cluster-scoped or not.
+	// EmptyStoreKind is used to determine if a store is cluster-scoped or not.
 	// The EmptyStoreKind is not cluster-scoped, hence resources
 	// cannot be resolved across namespaces.
 	// TODO: when we implement cluster-scoped generators

pkg/utils/utils.go → pkg/esutils/utils.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package utils
+// Package esutils provides utility functions for the external-secrets resources.
+package esutils
 
 import (
 	"bytes"
@@ -54,8 +55,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 const (
@@ -87,6 +88,7 @@ func MergeByteMap(dst, src map[string][]byte) map[string][]byte {
 	return dst
 }
 
+// RewriteMap applies a series of rewrite operations to the input map.
 func RewriteMap(operations []esv1.ExternalSecretRewrite, in map[string][]byte) (map[string][]byte, error) {
 	out := in
 	var err error
@@ -265,6 +267,7 @@ func DecodeMap(strategy esv1.ExternalSecretDecodingStrategy, in map[string][]byt
 	return out, nil
 }
 
+// Decode decodes the input byte slice according to the provided decoding strategy.
 func Decode(strategy esv1.ExternalSecretDecodingStrategy, in []byte) ([]byte, error) {
 	switch strategy {
 	case esv1.ExternalSecretDecodeBase64:
@@ -410,10 +413,13 @@ func MergeStringMap(dest, src map[string]string) {
 }
 
 var (
+	// ErrUnexpectedKey is returned when an unexpected key is found in the data.
 	ErrUnexpectedKey = errors.New("unexpected key in data")
-	ErrSecretType    = errors.New("can not handle secret value with type")
+	// ErrSecretType is returned when a secret value cannot be handled due to its type.
+	ErrSecretType = errors.New("can not handle secret value with type")
 )
 
+// GetByteValueFromMap retrieves a byte value from a map by key.
 func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
 	v, ok := data[key]
 	if !ok {
@@ -421,6 +427,8 @@ func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
 	}
 	return GetByteValue(v)
 }
+
+// GetByteValue converts an interface value to a byte slice.
 func GetByteValue(v any) ([]byte, error) {
 	switch t := v.(type) {
 	case string:
@@ -467,6 +475,7 @@ func ObjectHash(object any) string {
 	return fmt.Sprintf("%x", sha3.Sum224([]byte(textualVersion)))
 }
 
+// ErrorContains checks if the error message contains the specified substring.
 func ErrorContains(out error, want string) bool {
 	if out == nil {
 		return want == ""
@@ -534,6 +543,7 @@ func ValidateReferentServiceAccountSelector(store esv1.GenericStore, ref esmeta.
 	return nil
 }
 
+// NetworkValidate checks if a network endpoint is reachable within the given timeout.
 func NetworkValidate(endpoint string, timeout time.Duration) error {
 	hostname, err := url.Parse(endpoint)
 
@@ -559,6 +569,7 @@ func NetworkValidate(endpoint string, timeout time.Duration) error {
 	return nil
 }
 
+// Deref returns the value pointed to by v, or the zero value if v is nil.
 func Deref[V any](v *V) V {
 	if v == nil {
 		// Create zero value
@@ -568,10 +579,12 @@ func Deref[V any](v *V) V {
 	return *v
 }
 
+// Ptr returns a pointer to the given value.
 func Ptr[T any](i T) *T {
 	return &i
 }
 
+// ConvertToType converts an object to the specified type using JSON marshaling.
 func ConvertToType[T any](obj any) (T, error) {
 	var v T
 
@@ -629,6 +642,7 @@ func dig[T any](key string, data map[string]any) (t T, _ error) {
 	return t, errKeyNotFound
 }
 
+// CompareStringAndByteSlices compares a string pointer and a byte slice for equality.
 func CompareStringAndByteSlices(valueString *string, valueByte []byte) bool {
 	if valueString == nil {
 		return false
@@ -637,6 +651,7 @@ func CompareStringAndByteSlices(valueString *string, valueByte []byte) bool {
 	return bytes.Equal(valueByte, []byte(*valueString))
 }
 
+// ExtractSecretData extracts secret data from a Kubernetes Secret based on PushSecretData configuration.
 func ExtractSecretData(data esv1.PushSecretData, secret *corev1.Secret) ([]byte, error) {
 	var (
 		err   error
@@ -756,7 +771,7 @@ func GetTargetNamespaces(ctx context.Context, cl client.Client, namespaceList []
 // NamespacePredicate can be used to watch for new or updated or deleted namespaces.
 func NamespacePredicate() predicate.Predicate {
 	return predicate.Funcs{
-		CreateFunc: func(e event.CreateEvent) bool {
+		CreateFunc: func(_ event.CreateEvent) bool {
 			return true
 		},
 		UpdateFunc: func(e event.UpdateEvent) bool {
@@ -765,7 +780,7 @@ func NamespacePredicate() predicate.Predicate {
 			}
 			return !reflect.DeepEqual(e.ObjectOld.GetLabels(), e.ObjectNew.GetLabels())
 		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
+		DeleteFunc: func(_ event.DeleteEvent) bool {
 			return true
 		},
 	}
@@ -840,6 +855,8 @@ func getCertFromConfigMap(ctx context.Context, namespace string, c client.Client
 	return []byte(val), nil
 }
 
+// CheckEndpointSlicesReady checks if there are any EndpointSlice objects for the given service
+// that have ready addresses.
 func CheckEndpointSlicesReady(ctx context.Context, c client.Client, svcName, svcNamespace string) error {
 	var sliceList discoveryv1.EndpointSliceList
 	err := c.List(ctx, &sliceList,

pkg/utils/utils_test.go → pkg/esutils/utils_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package utils
+package esutils
 
 import (
 	"encoding/json"

pkg/feature/feature.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package feature provides functionality related to feature flags and feature management.
 package feature
 
 import (

pkg/find/find.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package find provides utilities for matching names against regular expressions.
 package find
 
 import (
@@ -23,10 +24,12 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// Matcher represents a pattern matcher that uses regular expressions to match names.
 type Matcher struct {
 	re *regexp.Regexp
 }
 
+// New creates a new Matcher using the provided FindName configuration.
 func New(findName esv1.FindName) (*Matcher, error) {
 	cmp, err := regexp.Compile(findName.RegExp)
 	if err != nil {
@@ -37,6 +40,7 @@ func New(findName esv1.FindName) (*Matcher, error) {
 	}, nil
 }
 
+// MatchName checks if the given name matches the configured regular expression pattern.
 func (m *Matcher) MatchName(name string) bool {
 	return m.re.MatchString(name)
 }

pkg/generator/acr/acr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package acr provides functionality for generating authentication tokens for Azure Container Registry.
 package acr
 
 import (
@@ -47,12 +48,14 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault"
 )
 
+// Generator implements ACR token generation functionality.
 type Generator struct {
 	clientSecretCreds clientSecretCredentialFunc
 }
 
 type clientSecretCredentialFunc func(tenantID string, clientID string, clientSecret string, options *azidentity.ClientSecretCredentialOptions) (TokenGetter, error)
 
+// TokenGetter defines an interface for obtaining Azure access tokens.
 type TokenGetter interface {
 	GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)
 }
@@ -96,7 +99,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 		fetchACRRefreshToken)
 }
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/cloudsmith/cloudsmith.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package cloudsmith implements a generator for Cloudsmith access tokens using OIDC.
 package cloudsmith
 
 import (
@@ -34,18 +35,21 @@ import (
 	"sigs.k8s.io/yaml"
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
+// Generator implements the Cloudsmith access token generator.
 type Generator struct {
 	httpClient *http.Client
 }
 
+// OIDCRequest represents the payload sent to Cloudsmith for OIDC token exchange.
 type OIDCRequest struct {
 	OIDCToken   string `json:"oidc_token"`
 	ServiceSlug string `json:"service_slug"`
 }
 
+// OIDCResponse represents the response from Cloudsmith containing the access token.
 type OIDCResponse struct {
 	Token string `json:"token"`
 }
@@ -66,6 +70,7 @@ const (
 	httpClientTimeout = 30 * time.Second
 )
 
+// Generate generates a Cloudsmith access token using the provided cloudsmith JSON spec.
 func (g *Generator) Generate(ctx context.Context, cloudsmithSpec *apiextensions.JSON, kubeClient client.Client, targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		ctx,
@@ -75,15 +80,13 @@ func (g *Generator) Generate(ctx context.Context, cloudsmithSpec *apiextensions.
 	)
 }
 
-func (g *Generator) Cleanup(_ context.Context, cloudsmithSpec *apiextensions.JSON, providerState genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup is a no-op for the Cloudsmith generator.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 
-func (g *Generator) generate(
-	ctx context.Context,
-	cloudsmithSpec *apiextensions.JSON,
-	_ client.Client,
-	targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
+// generate performs the main logic of the Cloudsmith generator.
+func (g *Generator) generate(ctx context.Context, cloudsmithSpec *apiextensions.JSON, _ client.Client, targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	if cloudsmithSpec == nil {
 		return nil, nil, errors.New(errNoSpec)
 	}
@@ -93,7 +96,7 @@ func (g *Generator) generate(
 	}
 
 	// Fetch the service account token
-	oidcToken, err := utils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, targetNamespace)
+	oidcToken, err := esutils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, targetNamespace)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 	}
@@ -108,7 +111,7 @@ func (g *Generator) generate(
 		return nil, nil, fmt.Errorf(errExchangeToken, err)
 	}
 
-	exp, err := utils.ExtractJWTExpiration(accessToken)
+	exp, err := esutils.ExtractJWTExpiration(accessToken)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/generator/cloudsmith/cloudsmith_test.go

@@ -29,7 +29,7 @@ import (
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 const mockJWTToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature"
@@ -136,7 +136,7 @@ func TestCloudsmithGenerator_Generate(t *testing.T) {
 		// Mock JWT token with known payload
 		mockToken := mockJWTToken
 
-		claims, err := utils.ParseJWTClaims(mockToken)
+		claims, err := esutils.ParseJWTClaims(mockToken)
 		if err != nil {
 			t.Fatalf("Failed to get claims: %v", err)
 		}
@@ -153,7 +153,7 @@ func TestCloudsmithGenerator_Generate(t *testing.T) {
 		// Mock JWT token with known exp claim
 		mockToken := mockJWTToken
 
-		exp, err := utils.ExtractJWTExpiration(mockToken)
+		exp, err := esutils.ExtractJWTExpiration(mockToken)
 		if err != nil {
 			t.Fatalf("Failed to get token expiration: %v", err)
 		}

pkg/generator/ecr/ecr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package ecr provides functionality for generating authentication tokens for AWS Elastic Container Registry.
 package ecr
 
 import (
@@ -44,6 +45,7 @@ type ecrPublicAPI interface {
 	GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFuncs ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error)
 }
 
+// Generator implements ECR token generation functionality.
 type Generator struct{}
 
 const (
@@ -54,11 +56,13 @@ const (
 	errGetPublicToken  = "unable to get public authorization token: %w"
 )
 
+// Generate creates an authentication token for AWS ECR.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(ctx, jsonSpec, kube, namespace, ecrPrivateFactory, ecrPublicFactory)
 }
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/ecr/resolver.go

@@ -31,15 +31,15 @@ import (
 )
 
 const (
-	ECREndpointEnv       = "AWS_ECR_ENDPOINT"
+	// ECREndpointEnv is the environment variable name for specifying a custom ECR endpoint.
+	ECREndpointEnv = "AWS_ECR_ENDPOINT"
+	// ECRPublicEndpointEnv is the environment variable name for specifying a custom ECR Public endpoint.
 	ECRPublicEndpointEnv = "AWS_ECR_PUBLIC_ENDPOINT"
 )
 
 type ecrCustomEndpointResolver struct{}
 
-// ResolveEndpoint returns a ResolverFunc with
-// customizable endpoints.
-
+// ResolveEndpoint returns a ResolverFunc with customizable endpoints.
 func (c ecrCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecr.EndpointParameters) (smithyendpoints.Endpoint, error) {
 	endpoint := smithyendpoints.Endpoint{}
 	if v := os.Getenv(ECREndpointEnv); v != "" {
@@ -56,6 +56,7 @@ func (c ecrCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params e
 
 type ecrPublicCustomEndpointResolver struct{}
 
+// ResolveEndpoint returns a ResolverFunc with customizable endpoints.
 func (c ecrPublicCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecrpublic.EndpointParameters) (smithyendpoints.Endpoint, error) {
 	endpoint := smithyendpoints.Endpoint{}
 	if v := os.Getenv(ECRPublicEndpointEnv); v != "" {

pkg/generator/gcr/gcr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package gcr provides functionality for generating authentication tokens for Google Container Registry.
 package gcr
 
 import (
@@ -29,10 +30,11 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// Generator implements GCR token generation functionality.
 type Generator struct{}
 
 const (
@@ -43,6 +45,8 @@ const (
 	errGetToken  = "unable to get authorization token: %w"
 )
 
+// Generate creates an authentication token for Google Container Registry.
+// It retrieves the token using the GCP credentials and returns it in the expected format.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		ctx,
@@ -53,7 +57,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 }
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/github/github.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package github provides functionality for generating authentication tokens for GitHub.
 package github
 
 import (
@@ -36,10 +37,12 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Generator implements GitHub token generation functionality.
 type Generator struct {
 	httpClient *http.Client
 }
 
+// Github represents a GitHub instance configuration with authentication details.
 type Github struct {
 	HTTP         *http.Client
 	Kube         client.Client
@@ -62,6 +65,8 @@ const (
 	httpClientTimeout = 5 * time.Second
 )
 
+// Generate creates an authentication token for GitHub.
+// It uses a GitHub App installation token to authenticate with GitHub API.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		ctx,
@@ -71,7 +76,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 }
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 
@@ -186,12 +192,11 @@ func newGHClient(ctx context.Context, k client.Client, n string, hc *http.Client
 	return gh, nil
 }
 
-// Get github installation token.
+// GetInstallationToken generates a GitHub installation token using the provided private key and app ID.
 func GetInstallationToken(key *rsa.PrivateKey, aid string) (string, error) {
 	claims := jwt.RegisteredClaims{
-		Issuer:    aid,
-		IssuedAt:  jwt.NewNumericDate(time.Now().Add(-time.Second * 10)),
-		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * 300)),
+		Issuer:   aid,
+		IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Second * 10)),
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

pkg/generator/grafana/grafana.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package grafana provides functionality for generating Grafana service account tokens.
 package grafana
 
 import (
@@ -33,11 +34,13 @@ import (
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
+// Grafana implements token generation for Grafana service accounts.
 type Grafana struct{}
 
+// Generate creates a new Grafana service account token using the provided configuration.
 func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	gen, err := parseSpec(jsonSpec.Raw)
 	if err != nil {
@@ -68,6 +71,7 @@ func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kc
 	return tokenResponse(state, res.Payload.Key)
 }
 
+// Cleanup handles any necessary cleanup after token generation.
 func (w *Grafana) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, previousStatus genv1alpha1.GeneratorProviderState, kclient client.Client, ns string) error {
 	if previousStatus == nil {
 		return fmt.Errorf("missing previous status")

pkg/generator/mfa/mfa.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package mfa provides functionality for generating multi-factor authentication tokens.
 package mfa
 
 import (
@@ -29,6 +30,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Generator implements MFA token generation functionality.
 type Generator struct{}
 
 const (
@@ -36,6 +38,8 @@ const (
 	errParseSpec = "unable to parse spec: %w"
 )
 
+// Generate creates an MFA token based on the provided configuration.
+// It retrieves the seed from a Kubernetes secret and generates a time-based one-time password.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, c client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	if jsonSpec == nil {
 		return nil, nil, errors.New(errNoSpec)
@@ -79,7 +83,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	}, nil, nil
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/password/password.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package password provides functionality for generating secure random passwords.
 package password
 
 import (
@@ -29,6 +30,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Generator implements secure random password generation functionality.
 type Generator struct{}
 
 const (
@@ -43,7 +45,7 @@ const (
 )
 
 type generateFunc func(
-	len int,
+	length int,
 	symbols int,
 	symbolCharacters string,
 	digits int,
@@ -51,6 +53,7 @@ type generateFunc func(
 	allowRepeat bool,
 ) (string, error)
 
+// Generate creates a secure random password based on the provided configuration.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		jsonSpec,
@@ -58,7 +61,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after password generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/quay/quay.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package quay provides functionality for generating authentication tokens for Quay container registry.
 package quay
 
 import (
@@ -32,9 +33,10 @@ import (
 	"sigs.k8s.io/yaml"
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
+// Generator implements token generation for Quay.io container registry.
 type Generator struct {
 	httpClient *http.Client
 }
@@ -49,6 +51,7 @@ const (
 	httpClientTimeout = 5 * time.Second
 )
 
+// Generate creates an authentication token for Quay container registry.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		ctx,
@@ -58,7 +61,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 
@@ -76,7 +80,7 @@ func (g *Generator) generate(
 	}
 
 	// Fetch the service account token
-	token, err := utils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, namespace)
+	token, err := esutils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, namespace)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 	}
@@ -90,7 +94,7 @@ func (g *Generator) generate(
 	if err != nil {
 		return nil, nil, err
 	}
-	exp, err := utils.ExtractJWTExpiration(accessToken)
+	exp, err := esutils.ExtractJWTExpiration(accessToken)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/generator/register/register.go

@@ -14,11 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package register provides registration functionality for generators.
 package register
 
-// packages imported here are registered to the controller schema.
-
 import (
+	// Import all generators for their side effects (registration).
 	_ "github.com/external-secrets/external-secrets/pkg/generator/acr"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/cloudsmith"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/ecr"

pkg/generator/sshkey/sshkey.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package sshkey provides functionality for generating SSH key pairs.
 package sshkey
 
 import (
@@ -33,6 +34,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Generator implements SSH key pair generation functionality.
 type Generator struct{}
 
 const (
@@ -47,6 +49,7 @@ const (
 
 type generateFunc func(keyType string, keySize *int, comment string) (privateKey, publicKey []byte, err error)
 
+// Generate creates a new SSH key pair.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		jsonSpec,
@@ -54,7 +57,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after key generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/statemanager/statemanager.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package statemanager provides functionality for managing state of generator operations.
 package statemanager
 
 import (
@@ -31,8 +32,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	genapi "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/feature"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 // Manager takes care of maintaining the state of the generators.
@@ -49,6 +50,7 @@ type Manager struct {
 	queue []QueueItem
 }
 
+// QueueItem represents a single item in the state manager's queue.
 type QueueItem struct {
 	Rollback func() error
 	Commit   func() error
@@ -64,6 +66,7 @@ func init() {
 	})
 }
 
+// New creates a new state manager instance with the given configuration.
 func New(ctx context.Context, client client.Client, scheme *runtime.Scheme, namespace string,
 	resource genapi.StatefulResource) *Manager {
 	return &Manager{
@@ -182,7 +185,7 @@ func (m *Manager) createGeneratorState(resource *apiextensions.JSON, state genap
 }
 
 func ownerKey(resource genapi.StatefulResource, key string) string {
-	return utils.ObjectHash(fmt.Sprintf("%s-%s-%s-%s",
+	return esutils.ObjectHash(fmt.Sprintf("%s-%s-%s-%s",
 		resource.GetObjectKind().GroupVersionKind().Kind,
 		resource.GetNamespace(),
 		resource.GetName(),
@@ -222,7 +225,7 @@ func (m *Manager) disposeState(key string) error {
 	return errors.Join(errs...)
 }
 
-// GetLatest returns the latest state for the given key.
+// GetAllStates retrieves all the stored states for the given key.
 func (m *Manager) GetAllStates(key string) ([]genapi.GeneratorState, error) {
 	var stateList genapi.GeneratorStateList
 	if err := m.client.List(m.ctx, &stateList, &client.MatchingLabels{

pkg/generator/sts/sts.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package sts implements a generator for AWS STS session tokens
 package sts
 
 import (
@@ -38,8 +39,10 @@ type stsAPI interface {
 	GetSessionToken(ctx context.Context, params *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
 }
 
+// Generator implements a generator for AWS STS session tokens.
 type Generator struct{}
 
+// const error messages.
 const (
 	errNoSpec     = "no config spec provided"
 	errParseSpec  = "unable to parse spec: %w"
@@ -47,6 +50,7 @@ const (
 	errGetToken   = "unable to get authorization token: %w"
 )
 
+// Generate creates AWS STS session tokens and returns credentials.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(ctx, jsonSpec, kube, namespace, stsFactory)
 }
@@ -105,7 +109,8 @@ func (g *Generator) generate(
 	}, nil, nil
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup is a no-op for STS generator as it doesn't require any cleanup.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/sts/sts_test.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 func TestGenerate(t *testing.T) {
@@ -90,10 +90,10 @@ func TestGenerate(t *testing.T) {
 					t := time.Unix(1234, 0)
 					return &sts.GetSessionTokenOutput{
 						Credentials: &ststypes.Credentials{
-							AccessKeyId:     utils.Ptr("access-key-id"),
-							Expiration:      utils.Ptr(t),
-							SecretAccessKey: utils.Ptr("secret-access-key"),
-							SessionToken:    utils.Ptr("session-token"),
+							AccessKeyId:     esutils.Ptr("access-key-id"),
+							Expiration:      esutils.Ptr(t),
+							SecretAccessKey: esutils.Ptr("secret-access-key"),
+							SessionToken:    esutils.Ptr("session-token"),
 						},
 					}, nil
 				},

pkg/generator/uuid/uuid.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package uuid provides functionality for generating random UUIDs.
 package uuid
 
 import (
@@ -27,10 +28,12 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
+// Generator implements random UUID generation functionality.
 type Generator struct{}
 
 type generateFunc func() (string, error)
 
+// Generate creates a random UUID.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 		jsonSpec,
@@ -38,7 +41,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/generator/vault/vault.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package vaultdynamic provides functionality for generating dynamic credentials from HashiCorp Vault.
 package vaultdynamic
 
 import (
@@ -31,11 +32,12 @@ import (
 	"sigs.k8s.io/yaml"
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	provider "github.com/external-secrets/external-secrets/pkg/provider/vault"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
+// Generator implements credential generation using HashiCorp Vault's dynamic secrets.
 type Generator struct{}
 
 const (
@@ -45,6 +47,7 @@ const (
 	errGetSecret   = "unable to get dynamic secret: %w"
 )
 
+// Generate creates dynamic credentials using HashiCorp Vault's secrets engines.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	c := &provider.Provider{NewVaultClient: provider.NewVaultClient}
 
@@ -63,7 +66,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	return g.generate(ctx, c, jsonSpec, kube, clientset.CoreV1(), namespace)
 }
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 
@@ -98,7 +102,7 @@ func (g *Generator) generate(ctx context.Context, c *provider.Provider, jsonSpec
 	return g.prepareResponse(spec, result)
 }
 
-func (g *Generator) fetchVaultSecret(ctx context.Context, res *genv1alpha1.VaultDynamicSecret, cl util.Client) (*vault.Secret, error) {
+func (g *Generator) fetchVaultSecret(ctx context.Context, res *genv1alpha1.VaultDynamicSecret, cl vaultutil.Client) (*vault.Secret, error) {
 	var (
 		result *vault.Secret
 		err    error
@@ -151,7 +155,7 @@ func (g *Generator) prepareResponse(res *genv1alpha1.VaultDynamicSecret, result
 	}
 
 	for k := range data {
-		response[k], err = utils.GetByteValueFromMap(data, k)
+		response[k], err = esutils.GetByteValueFromMap(data, k)
 		if err != nil {
 			return nil, nil, err
 		}

pkg/generator/vault/vault_test.go

@@ -40,7 +40,7 @@ type args struct {
 	jsonSpec      *apiextensions.JSON
 	kube          kclient.Client
 	corev1        typedcorev1.CoreV1Interface
-	vaultClientFn func(config *vaultapi.Config) (util.Client, error)
+	vaultClientFn func(config *vaultapi.Config) (vaultutil.Client, error)
 }
 
 type want struct {

pkg/generator/webhook/webhook.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package webhook provides functionality for generating secrets through webhook calls.
 package webhook
 
 import (
@@ -28,11 +29,13 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/common/webhook"
 )
 
+// Webhook represents a generator that calls external webhooks to generate secrets.
 type Webhook struct {
 	wh  webhook.Webhook
 	url string
 }
 
+// Generate creates secrets by making webhook calls to external services.
 func (w *Webhook) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	w.wh.EnforceLabels = true
 	w.wh.ClusterScoped = false
@@ -52,7 +55,8 @@ func (w *Webhook) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kc
 	return data, nil, err
 }
 
-func (w *Webhook) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup operations after secret generation.
+func (w *Webhook) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 }
 

pkg/metrics/metrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package metrics provides functionality for collecting and managing metrics in the external-secrets system.
 package metrics
 
 import (
@@ -24,8 +25,10 @@ import (
 )
 
 const (
+	// ExternalSecretSubsystem is the subsystem name used for external secret metrics.
 	ExternalSecretSubsystem = "externalsecret"
-	providerAPICalls        = "provider_api_calls_count"
+
+	providerAPICalls = "provider_api_calls_count"
 )
 
 var (
@@ -36,6 +39,7 @@ var (
 	}, []string{"provider", "call", "status"})
 )
 
+// ObserveAPICall records metrics for an API call to a provider.
 func ObserveAPICall(provider, call string, err error) {
 	syncCallsTotal.WithLabelValues(provider, call, deriveStatus(err)).Inc()
 }

pkg/provider/akeyless/akeyless.go

@@ -42,8 +42,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/find"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 // Ctx is a type used for context keys in Akeyless provider implementations.
@@ -144,12 +144,12 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 	if akeylessSpec.Auth.KubernetesAuth != nil {
 		if akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef != nil {
-			if err := utils.ValidateReferentServiceAccountSelector(store, *akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef); err != nil {
+			if err := esutils.ValidateReferentServiceAccountSelector(store, *akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef); err != nil {
 				return nil, fmt.Errorf(errInvalidKubeSA, err)
 			}
 		}
 		if akeylessSpec.Auth.KubernetesAuth.SecretRef != nil {
-			err := utils.ValidateSecretSelector(store, *akeylessSpec.Auth.KubernetesAuth.SecretRef)
+			err := esutils.ValidateSecretSelector(store, *akeylessSpec.Auth.KubernetesAuth.SecretRef)
 			if err != nil {
 				return nil, err
 			}
@@ -166,7 +166,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 
 	accessID := akeylessSpec.Auth.SecretRef.AccessID
-	err := utils.ValidateSecretSelector(store, accessID)
+	err := esutils.ValidateSecretSelector(store, accessID)
 	if err != nil {
 		return nil, err
 	}
@@ -180,13 +180,13 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 
 	accessType := akeylessSpec.Auth.SecretRef.AccessType
-	err = utils.ValidateSecretSelector(store, accessType)
+	err = esutils.ValidateSecretSelector(store, accessType)
 	if err != nil {
 		return nil, err
 	}
 
 	accessTypeParam := akeylessSpec.Auth.SecretRef.AccessTypeParam
-	err = utils.ValidateSecretSelector(store, accessTypeParam)
+	err = esutils.ValidateSecretSelector(store, accessTypeParam)
 	if err != nil {
 		return nil, err
 	}
@@ -256,7 +256,7 @@ func (a *Akeyless) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	serviceURL := a.url
 
-	if err := utils.NetworkValidate(serviceURL, timeout); err != nil {
+	if err := esutils.NetworkValidate(serviceURL, timeout); err != nil {
 		return esv1.ValidationResultError, err
 	}
 
@@ -266,7 +266,7 @@ func (a *Akeyless) Validate() (esv1.ValidationResult, error) {
 // GetSecret retrieves a secret with the secret name defined in ref.Name.
 // Implements store.Client.GetSecret Interface.
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	ctx, err := a.contextWithToken(ctx)
@@ -310,7 +310,7 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRem
 // GetAllSecrets Implements store.Client.GetAllSecrets Interface.
 // Retrieves all secrets with defined in ref.Name or tags.
 func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	ctx, err := a.contextWithToken(ctx)
@@ -398,7 +398,7 @@ func (a *Akeyless) findSecretsFromName(ctx context.Context, searchPath string, r
 // GetSecretMap implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
 func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	val, err := a.GetSecret(ctx, ref)
@@ -422,7 +422,7 @@ func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretData
 
 // SecretExists checks if a secret exists in Akeyless Vault at the specified remote reference.
 func (a *Akeyless) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return false, errors.New(errUninitalizedAkeylessProvider)
 	}
 	secret, err := a.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: ref.GetRemoteKey()})
@@ -454,7 +454,7 @@ func initMapIfNotExist(psd esv1.PushSecretData, secretMapSize int) map[string]an
 
 // PushSecret pushes a Kubernetes secret to Akeyless Vault using the provided data.
 func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)
 	}
 	ctx, err := a.contextWithToken(ctx)
@@ -498,7 +498,7 @@ func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd es
 
 // DeleteSecret deletes a secret from Akeyless Vault at the specified remote reference.
 func (a *Akeyless) DeleteSecret(ctx context.Context, psr esv1.PushSecretRemoteRef) error {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)
 	}
 	ctx, err := a.contextWithToken(ctx)
@@ -544,7 +544,7 @@ func (a *akeylessBase) getAkeylessHTTPClient(ctx context.Context, provider *esv1
 		return client, nil
 	}
 
-	cert, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		StoreKind:  a.storeKind,
 		Client:     a.kube,
 		Namespace:  a.namespace,

pkg/provider/akeyless/akeyless_api.go

@@ -38,8 +38,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 var (

pkg/provider/akeyless/auth.go

@@ -21,7 +21,7 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
 const (

pkg/provider/alibaba/client.go

@@ -34,7 +34,7 @@ import (
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/hashicorp/go-retryablehttp"
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 const (
@@ -70,7 +70,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 		return nil, fmt.Errorf("failed to get KMS endpoint: %w", err)
 	}
 
-	if utils.Deref(endpoint) == "" {
+	if esutils.Deref(endpoint) == "" {
 		return nil, errors.New("error KMS endpoint is missing")
 	}
 
@@ -85,9 +85,9 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 	}
 
 	const defaultRetryAttempts = 3
-	if utils.Deref(options.Autoretry) {
+	if esutils.Deref(options.Autoretry) {
 		if options.MaxAttempts != nil {
-			retryClient.RetryMax = utils.Deref(options.MaxAttempts)
+			retryClient.RetryMax = esutils.Deref(options.MaxAttempts)
 		} else {
 			retryClient.RetryMax = defaultRetryAttempts
 		}
@@ -96,7 +96,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 	return &secretsManagerClient{
 		config:   config,
 		options:  options,
-		endpoint: utils.Deref(endpoint),
+		endpoint: esutils.Deref(endpoint),
 		client:   retryClient.StandardClient(),
 	}, nil
 }
@@ -111,10 +111,10 @@ func (s *secretsManagerClient) GetSecretValue(
 ) (*kms.GetSecretValueResponseBody, error) {
 	resp, err := s.doAPICall(ctx, "GetSecretValue", request)
 	if err != nil {
-		return nil, fmt.Errorf("error getting secret [%s] latest value: %w", utils.Deref(request.SecretName), err)
+		return nil, fmt.Errorf("error getting secret [%s] latest value: %w", esutils.Deref(request.SecretName), err)
 	}
 
-	body, err := utils.ConvertToType[kms.GetSecretValueResponseBody](resp)
+	body, err := esutils.ConvertToType[kms.GetSecretValueResponseBody](resp)
 	if err != nil {
 		return nil, fmt.Errorf("error converting body: %w", err)
 	}
@@ -133,11 +133,11 @@ func (s *secretsManagerClient) doAPICall(ctx context.Context,
 	apiRequest := newOpenAPIRequest(s.endpoint, action, methodTypeGET, request)
 	apiRequest.query["AccessKeyId"] = creds.AccessKeyId
 
-	if utils.Deref(creds.SecurityToken) != "" {
+	if esutils.Deref(creds.SecurityToken) != "" {
 		apiRequest.query["SecurityToken"] = creds.SecurityToken
 	}
 
-	apiRequest.query["Signature"] = openapiutil.GetRPCSignature(apiRequest.query, utils.Ptr(apiRequest.method.String()), creds.AccessKeySecret)
+	apiRequest.query["Signature"] = openapiutil.GetRPCSignature(apiRequest.query, esutils.Ptr(apiRequest.method.String()), creds.AccessKeySecret)
 
 	httpReq, err := newHTTPRequestWithContext(ctx, apiRequest)
 	if err != nil {
@@ -156,8 +156,8 @@ func (s *secretsManagerClient) doAPICall(ctx context.Context,
 }
 
 func (s *secretsManagerClient) parseResponse(resp *http.Response) (map[string]any, error) {
-	statusCode := utils.Ptr(resp.StatusCode)
-	if utils.Deref(util.Is4xx(statusCode)) || utils.Deref(util.Is5xx(statusCode)) {
+	statusCode := esutils.Ptr(resp.StatusCode)
+	if esutils.Deref(util.Is4xx(statusCode)) || esutils.Deref(util.Is5xx(statusCode)) {
 		return nil, s.parseErrorResponse(resp)
 	}
 
@@ -185,7 +185,7 @@ func (s *secretsManagerClient) parseErrorResponse(resp *http.Response) error {
 		return err
 	}
 
-	errorMap["statusCode"] = utils.Ptr(resp.StatusCode)
+	errorMap["statusCode"] = esutils.Ptr(resp.StatusCode)
 	err = tea.NewSDKError(map[string]any{
 		"code":               tea.ToString(defaultAny(errorMap["Code"], errorMap["code"])),
 		"message":            fmt.Sprintf("code: %s, %s", tea.ToString(resp.StatusCode), tea.ToString(defaultAny(errorMap["Message"], errorMap["message"]))),
@@ -223,18 +223,18 @@ func newOpenAPIRequest(endpoint string,
 		method:   method,
 		headers: map[string]*string{
 			"host":          &endpoint,
-			"x-acs-version": utils.Ptr(kmsAPIVersion),
+			"x-acs-version": esutils.Ptr(kmsAPIVersion),
 			"x-acs-action":  &action,
-			"user-agent":    utils.Ptr(fmt.Sprintf("AlibabaCloud (%s; %s) Golang/%s Core/%s TeaDSL/1", runtime.GOOS, runtime.GOARCH, strings.Trim(runtime.Version(), "go"), "0.01")),
+			"user-agent":    esutils.Ptr(fmt.Sprintf("AlibabaCloud (%s; %s) Golang/%s Core/%s TeaDSL/1", runtime.GOOS, runtime.GOARCH, strings.Trim(runtime.Version(), "go"), "0.01")),
 		},
 		query: map[string]*string{
 			"Action":           &action,
-			"Format":           utils.Ptr("json"),
-			"Version":          utils.Ptr(kmsAPIVersion),
+			"Format":           esutils.Ptr("json"),
+			"Version":          esutils.Ptr(kmsAPIVersion),
 			"Timestamp":        openapiutil.GetTimestamp(),
 			"SignatureNonce":   util.GetNonce(),
-			"SignatureMethod":  utils.Ptr("HMAC-SHA1"),
-			"SignatureVersion": utils.Ptr("1.0"),
+			"SignatureMethod":  esutils.Ptr("HMAC-SHA1"),
+			"SignatureVersion": esutils.Ptr("1.0"),
 		},
 	}
 
@@ -246,7 +246,7 @@ func newHTTPRequestWithContext(ctx context.Context,
 	req *openAPIRequest) (*http.Request, error) {
 	query := url.Values{}
 	for k, v := range req.query {
-		query.Add(k, utils.Deref(v))
+		query.Add(k, esutils.Deref(v))
 	}
 
 	httpReq, err := http.NewRequestWithContext(ctx, req.method.String(), fmt.Sprintf("https://%s/?%s", url.PathEscape(req.endpoint), query.Encode()), http.NoBody)
@@ -255,14 +255,14 @@ func newHTTPRequestWithContext(ctx context.Context,
 	}
 
 	for k, v := range req.headers {
-		httpReq.Header.Add(k, utils.Deref(v))
+		httpReq.Header.Add(k, esutils.Deref(v))
 	}
 
 	return httpReq, nil
 }
 
 func defaultAny(inputValue, defaultValue any) any {
-	if utils.Deref(util.IsUnset(inputValue)) {
+	if esutils.Deref(util.IsUnset(inputValue)) {
 		return defaultValue
 	}
 

pkg/provider/alibaba/kms.go

@@ -33,8 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
 const (
@@ -84,7 +84,7 @@ func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1.Externa
 
 // GetSecret returns a single secret from the provider.
 func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(kms.Client) {
+	if esutils.IsNil(kms.Client) {
 		return nil, errors.New(errUninitalizedAlibabaProvider)
 	}
 
@@ -101,14 +101,14 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.Externa
 		return nil, SanitizeErr(err)
 	}
 	if ref.Property == "" {
-		if utils.Deref(secretOut.SecretData) != "" {
-			return []byte(utils.Deref(secretOut.SecretData)), nil
+		if esutils.Deref(secretOut.SecretData) != "" {
+			return []byte(esutils.Deref(secretOut.SecretData)), nil
 		}
 		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	var payload string
-	if utils.Deref(secretOut.SecretData) != "" {
-		payload = utils.Deref(secretOut.SecretData)
+	if esutils.Deref(secretOut.SecretData) != "" {
+		payload = esutils.Deref(secretOut.SecretData)
 	}
 	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
@@ -151,7 +151,7 @@ func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1.Gener
 	}
 
 	config := &openapi.Config{
-		RegionId:   utils.Ptr(alibabaSpec.RegionID),
+		RegionId:   esutils.Ptr(alibabaSpec.RegionID),
 		Credential: credentials,
 	}
 
@@ -180,8 +180,8 @@ func newOptions(store esv1.GenericStore) *util.RuntimeOptions {
 			retryAmount = 3
 		}
 
-		options.Autoretry = utils.Ptr(true)
-		options.MaxAttempts = utils.Ptr(retryAmount)
+		options.Autoretry = esutils.Ptr(true)
+		options.MaxAttempts = esutils.Ptr(retryAmount)
 	}
 
 	return options
@@ -220,9 +220,9 @@ func newRRSAAuth(store esv1.GenericStore) (credential.Credential, error) {
 		OIDCTokenFilePath: &alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath,
 		RoleArn:           &alibabaSpec.Auth.RRSAAuth.RoleARN,
 		RoleSessionName:   &alibabaSpec.Auth.RRSAAuth.SessionName,
-		Type:              utils.Ptr("oidc_role_arn"),
-		ConnectTimeout:    utils.Ptr(30 * 1000),
-		Timeout:           utils.Ptr(60 * 1000),
+		Type:              esutils.Ptr("oidc_role_arn"),
+		ConnectTimeout:    esutils.Ptr(30 * 1000),
+		Timeout:           esutils.Ptr(60 * 1000),
 	}
 
 	return credential.NewCredential(credentialConfig)
@@ -241,11 +241,11 @@ func newAccessKeyAuth(ctx context.Context, kube kclient.Client, store esv1.Gener
 		return nil, fmt.Errorf(errFetchAccessKeySecret, err)
 	}
 	credentialConfig := &credential.Config{
-		AccessKeyId:     utils.Ptr(accessKeyID),
-		AccessKeySecret: utils.Ptr(accessKeySecret),
-		Type:            utils.Ptr("access_key"),
-		ConnectTimeout:  utils.Ptr(30),
-		Timeout:         utils.Ptr(60),
+		AccessKeyId:     esutils.Ptr(accessKeyID),
+		AccessKeySecret: esutils.Ptr(accessKeySecret),
+		Type:            esutils.Ptr("access_key"),
+		ConnectTimeout:  esutils.Ptr(30),
+		Timeout:         esutils.Ptr(60),
 	}
 
 	return credential.NewCredential(credentialConfig)
@@ -331,7 +331,7 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1.GenericSt
 	alibabaSpec := storeSpec.Provider.Alibaba
 
 	accessKeyID := alibabaSpec.Auth.SecretRef.AccessKeyID
-	err := utils.ValidateSecretSelector(store, accessKeyID)
+	err := esutils.ValidateSecretSelector(store, accessKeyID)
 	if err != nil {
 		return err
 	}
@@ -345,7 +345,7 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1.GenericSt
 	}
 
 	accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
-	err = utils.ValidateSecretSelector(store, accessKeySecret)
+	err = esutils.ValidateSecretSelector(store, accessKeySecret)
 	if err != nil {
 		return err
 	}

pkg/provider/alibaba/kms_test.go

@@ -27,8 +27,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 const (
@@ -71,14 +71,14 @@ func makeValidRef() *esv1.ExternalSecretDataRemoteRef {
 
 func makeValidAPIInput() *kmssdk.GetSecretValueRequest {
 	return &kmssdk.GetSecretValueRequest{
-		SecretName: utils.Ptr(secretName),
+		SecretName: esutils.Ptr(secretName),
 	}
 }
 
 func makeValidAPIOutput() *kmssdk.GetSecretValueResponseBody {
 	response := &kmssdk.GetSecretValueResponseBody{
-		SecretName:    utils.Ptr(secretName),
-		SecretData:    utils.Ptr(secretValue),
+		SecretName:    esutils.Ptr(secretName),
+		SecretData:    esutils.Ptr(secretValue),
 		VersionStages: &kmssdk.GetSecretValueResponseBodyVersionStages{},
 	}
 	return response
@@ -111,16 +111,16 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 	// good case: default version is set
 	// key is passed in, output is sent back
 	setSecretString := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr(secretName)
-		kmstc.apiOutput.SecretData = utils.Ptr(secretValue)
+		kmstc.apiOutput.SecretName = esutils.Ptr(secretName)
+		kmstc.apiOutput.SecretData = esutils.Ptr(secretValue)
 		kmstc.expectedSecret = secretValue
 	}
 
 	// good case: custom version set
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr("test-example-other")
+		kmstc.apiOutput.SecretName = esutils.Ptr("test-example-other")
 		kmstc.ref.Key = "test-example-other"
-		kmstc.apiOutput.SecretData = utils.Ptr(secretValue)
+		kmstc.apiOutput.SecretData = esutils.Ptr(secretValue)
 		kmstc.expectedSecret = secretValue
 	}
 
@@ -147,14 +147,14 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 func TestGetSecretMap(t *testing.T) {
 	// good case: default version & deserialization
 	setDeserialization := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr("foo")
+		kmstc.apiOutput.SecretName = esutils.Ptr("foo")
 		kmstc.expectedData["foo"] = []byte("bar")
-		kmstc.apiOutput.SecretData = utils.Ptr(`{"foo":"bar"}`)
+		kmstc.apiOutput.SecretData = esutils.Ptr(`{"foo":"bar"}`)
 	}
 
 	// bad case: invalid json
 	setInvalidJSON := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretData = utils.Ptr("-----------------")
+		kmstc.apiOutput.SecretData = esutils.Ptr("-----------------")
 		kmstc.expectError = "unable to unmarshal secret"
 	}
 

pkg/provider/aws/auth/auth.go

@@ -37,9 +37,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/feature"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
@@ -88,7 +88,7 @@ type Opts struct {
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
 func New(ctx context.Context, opts Opts) (*aws.Config, error) {
-	prov, err := util.GetAWSProvider(opts.Store)
+	prov, err := awsutil.GetAWSProvider(opts.Store)
 	if err != nil {
 		return nil, err
 	}

pkg/provider/aws/parameterstore/parameterstore.go

@@ -36,11 +36,11 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 
 // Tier defines policy details for PushSecret.
@@ -270,10 +270,10 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 func (pm *ParameterStore) encodeSecretData(encodeAsDecoded bool, data map[string][]byte) ([]byte, error) {
 	if encodeAsDecoded {
 		// This will result in map byte slices not being base64 encoded by json.Marshal.
-		return utils.JSONMarshal(convertMap(data))
+		return esutils.JSONMarshal(convertMap(data))
 	}
 
-	return utils.JSONMarshal(data)
+	return esutils.JSONMarshal(data)
 }
 
 func convertMap(in map[string][]byte) map[string]string {
@@ -311,7 +311,7 @@ func (pm *ParameterStore) setExisting(ctx context.Context, existing *ssm.GetPara
 		return err
 	}
 
-	tagKeysToRemove := util.FindTagKeysToRemove(tags, metaTags)
+	tagKeysToRemove := awsutil.FindTagKeysToRemove(tags, metaTags)
 	if len(tagKeysToRemove) > 0 {
 		_, err = pm.client.RemoveTagsFromResource(ctx, &ssm.RemoveTagsFromResourceInput{
 			ResourceId:   existing.Parameter.Name,
@@ -516,7 +516,7 @@ func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byt
 	})
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
 	if err != nil {
-		return util.SanitizeErr(err)
+		return awsutil.SanitizeErr(err)
 	}
 
 	data[name] = []byte(*out.Parameter.Value)
@@ -539,7 +539,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 		return nil, esv1.NoSecretErr
 	}
 	if err != nil {
-		return nil, util.SanitizeErr(err)
+		return nil, awsutil.SanitizeErr(err)
 	}
 	if ref.Property == "" {
 		if out.Parameter.Value != nil {
@@ -572,13 +572,15 @@ func (pm *ParameterStore) getParameterTags(ctx context.Context, ref esv1.Externa
 	if err != nil {
 		return nil, err
 	}
-	json, err := util.ParameterTagsToJSONString(tags)
+
+	jsonStr, err := awsutil.ParameterTagsToJSONString(tags)
 	if err != nil {
 		return nil, err
 	}
+
 	out := &ssm.GetParameterOutput{
 		Parameter: &ssmTypes.Parameter{
-			Value: &json,
+			Value: &jsonStr,
 		},
 	}
 	return out, nil

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -25,7 +25,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -865,7 +865,7 @@ func TestGetSecret(t *testing.T) {
 			TagList: getTagSlice(),
 		}
 		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
-		pstc.expectedSecret, _ = util.ParameterTagsToJSONString(normaliseTags(getTagSlice()))
+		pstc.expectedSecret, _ = awsutil.ParameterTagsToJSONString(normaliseTags(getTagSlice()))
 	}
 
 	// good case: metadata property returned

pkg/provider/aws/provider.go

@@ -32,11 +32,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -65,7 +65,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 
 // ValidateStore validates the configuration of the AWS SecretStore.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
-	prov, err := util.GetAWSProvider(store)
+	prov, err := awsutil.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
 	}
@@ -80,14 +80,14 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 	// case: static credentials
 	if prov.Auth.SecretRef != nil {
-		if err := utils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.AccessKeyID); err != nil {
+		if err := esutils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.AccessKeyID); err != nil {
 			return nil, fmt.Errorf("invalid Auth.SecretRef.AccessKeyID: %w", err)
 		}
-		if err := utils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.SecretAccessKey); err != nil {
+		if err := esutils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.SecretAccessKey); err != nil {
 			return nil, fmt.Errorf("invalid Auth.SecretRef.SecretAccessKey: %w", err)
 		}
 		if prov.Auth.SecretRef.SessionToken != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *prov.Auth.SecretRef.SessionToken); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *prov.Auth.SecretRef.SessionToken); err != nil {
 				return nil, fmt.Errorf("invalid Auth.SecretRef.SessionToken: %w", err)
 			}
 		}
@@ -95,7 +95,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 	// case: jwt credentials
 	if prov.Auth.JWTAuth != nil && prov.Auth.JWTAuth.ServiceAccountRef != nil {
-		if err := utils.ValidateReferentServiceAccountSelector(store, *prov.Auth.JWTAuth.ServiceAccountRef); err != nil {
+		if err := esutils.ValidateReferentServiceAccountSelector(store, *prov.Auth.JWTAuth.ServiceAccountRef); err != nil {
 			return nil, fmt.Errorf("invalid Auth.JWT.ServiceAccountRef: %w", err)
 		}
 	}
@@ -131,14 +131,14 @@ func validateSecretsManagerConfig(prov *esv1.AWSProvider) error {
 	if prov.SecretsManager == nil {
 		return nil
 	}
-	return util.ValidateDeleteSecretInput(awssm.DeleteSecretInput{
+	return awsutil.ValidateDeleteSecretInput(awssm.DeleteSecretInput{
 		ForceDeleteWithoutRecovery: &prov.SecretsManager.ForceDeleteWithoutRecovery,
 		RecoveryWindowInDays:       &prov.SecretsManager.RecoveryWindowInDays,
 	})
 }
 
 func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (esv1.SecretsClient, error) {
-	prov, err := util.GetAWSProvider(store)
+	prov, err := awsutil.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
 	}
@@ -150,7 +150,7 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 
 	// allow SecretStore controller validation to pass
 	// when using referent namespace.
-	if util.IsReferentSpec(prov.Auth) && namespace == "" &&
+	if awsutil.IsReferentSpec(prov.Auth) && namespace == "" &&
 		store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind {
 		cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("eu-west-1"))
 		if err != nil {

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -29,7 +29,7 @@ import (
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/smithy-go"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -40,10 +40,10 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 // PushSecretMetadataSpec contains metadata information for pushing secrets to AWS Secret Manager.
@@ -180,7 +180,7 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	if sm.config != nil && sm.config.RecoveryWindowInDays > 0 {
 		deleteInput.RecoveryWindowInDays = &sm.config.RecoveryWindowInDays
 	}
-	err = util.ValidateDeleteSecretInput(*deleteInput)
+	err = awsutil.ValidateDeleteSecretInput(*deleteInput)
 	if err != nil {
 		return err
 	}
@@ -215,7 +215,7 @@ func (sm *SecretsManager) handleSecretError(err error) (bool, error) {
 
 // PushSecret pushes a secret to AWS Secrets Manager.
 func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
-	value, err := utils.ExtractSecretData(psd, secret)
+	value, err := esutils.ExtractSecretData(psd, secret)
 	if err != nil {
 		return fmt.Errorf("failed to extract secret data: %w", err)
 	}
@@ -404,7 +404,7 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 		return nil, err
 	}
 	if err != nil {
-		return nil, util.SanitizeErr(err)
+		return nil, awsutil.SanitizeErr(err)
 	}
 	if ref.Property == "" {
 		if secretOut.SecretString != nil {
@@ -497,7 +497,7 @@ func (sm *SecretsManager) Validate() (esv1.ValidationResult, error) {
 	}
 	_, err := sm.cfg.Credentials.Retrieve(context.Background())
 	if err != nil {
-		return esv1.ValidationResultError, util.SanitizeErr(err)
+		return esv1.ValidationResultError, awsutil.SanitizeErr(err)
 	}
 
 	return esv1.ValidationResultReady, nil
@@ -543,7 +543,7 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 }
 
 func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretArn string, awsSecret *awssm.GetSecretValueOutput, psd esv1.PushSecretData, value []byte, tags []types.Tag) error {
-	if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || utils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
+	if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || esutils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
 		return nil
 	}
 
@@ -560,7 +560,7 @@ func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretA
 		SecretBinary:       value,
 		ClientRequestToken: aws.String(newVersionNumber),
 	}
-	secretPushFormat, err := utils.FetchValueFromMetadata(SecretPushFormatKey, psd.GetMetadata(), SecretPushFormatBinary)
+	secretPushFormat, err := esutils.FetchValueFromMetadata(SecretPushFormatKey, psd.GetMetadata(), SecretPushFormatBinary)
 	if err != nil {
 		return fmt.Errorf("failed to parse metadata: %w", err)
 	}
@@ -588,7 +588,7 @@ func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensions
 		return err
 	}
 
-	tagKeysToRemove := util.FindTagKeysToRemove(tags, meta.Spec.Tags)
+	tagKeysToRemove := awsutil.FindTagKeysToRemove(tags, meta.Spec.Tags)
 	if len(tagKeysToRemove) > 0 {
 		_, err = sm.client.UntagResource(ctx, &awssm.UntagResourceInput{
 			SecretId: secretID,
@@ -666,7 +666,7 @@ func (sm *SecretsManager) constructSecretValue(ctx context.Context, key, ver str
 		}
 		log.Info("found metadata secret", "key", key, "output", descOutput)
 
-		jsonTags, err := util.SecretTagsToJSONString(descOutput.Tags)
+		jsonTags, err := awsutil.SecretTagsToJSONString(descOutput.Tags)
 		if err != nil {
 			return nil, err
 		}

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -30,7 +30,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -225,7 +225,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 			Tags: getTagSlice(),
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectedSecret = jsonTags
 	}
@@ -237,7 +237,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = tagname2
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectedSecret = tagvalue2
 	}
@@ -249,7 +249,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = "fail"
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectError = "key fail does not exist in secret /baz"
 	}

pkg/provider/aws/util/errors.go

@@ -14,8 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package util provides utility functions for AWS providers in External Secrets Operator
-package util
+// Package awsutil provides utility functions for AWS providers in External Secrets Operator
+package awsutil
 
 import (
 	"errors"

pkg/provider/aws/util/errors_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+package awsutil
 
 import (
 	"errors"

pkg/provider/aws/util/provider.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+package awsutil
 
 import (
 	"encoding/json"

pkg/provider/aws/util/provider_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+package awsutil
 
 import (
 	"encoding/json"

pkg/provider/aws/util/validation.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+// Package awsutil provides utility functions for AWS provider integration
+package awsutil
 
 import (
 	"fmt"

pkg/provider/azure/keyvault/keyvault.go

@@ -61,10 +61,10 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 const (
@@ -319,18 +319,18 @@ func (a *Azure) ValidateStore(store esv1.GenericStore) (admission.Warnings, erro
 	}
 	if p.AuthSecretRef != nil {
 		if p.AuthSecretRef.ClientID != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
 				return nil, fmt.Errorf(errInvalidSecRefClientID, err)
 			}
 		}
 		if p.AuthSecretRef.ClientSecret != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
 				return nil, fmt.Errorf(errInvalidSecRefClientSecret, err)
 			}
 		}
 	}
 	if p.ServiceAccountRef != nil {
-		if err := utils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
+		if err := esutils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
 			return nil, fmt.Errorf(errInvalidSARef, err)
 		}
 	}
@@ -710,7 +710,7 @@ func getSecretKey(secret *corev1.Secret, data esv1.PushSecretData) ([]byte, erro
 	for k, v := range secret.Data {
 		secretStringVal[k] = string(v)
 	}
-	value, err := utils.JSONMarshal(secretStringVal)
+	value, err := esutils.JSONMarshal(secretStringVal)
 	if err != nil {
 		return nil, fmt.Errorf("failed to serialize secret content as JSON: %w", err)
 	}

pkg/provider/azure/keyvault/keyvault_new_sdk.go

@@ -39,8 +39,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 // New SDK implementations for setter methods.

pkg/provider/azure/keyvault/keyvault_test.go

@@ -36,10 +36,10 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
 	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 
 type secretManagerTestCase struct {
@@ -379,7 +379,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		err := sm.DeleteSecret(context.Background(), v.pushData)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 			} else {
@@ -956,7 +956,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			}
 		}
 		err := sm.PushSecret(context.Background(), v.secret, v.pushData)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 			} else {
@@ -966,7 +966,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		if len(v.expectedData) > 0 {
 			sm.baseClient = v.mockClient
 			out, err := sm.GetSecretMap(context.Background(), *v.ref)
-			if !utils.ErrorContains(err, v.expectError) {
+			if !esutils.ErrorContains(err, v.expectError) {
 				t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 			}
 			if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1342,7 +1342,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		out, err := sm.GetSecret(context.Background(), *v.ref)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		if string(out) != v.expectedSecret {
@@ -1501,7 +1501,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		out, err := sm.GetSecretMap(context.Background(), *v.ref)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1644,7 +1644,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		out, err := sm.GetAllSecrets(context.Background(), *v.refFind)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1849,7 +1849,7 @@ func TestAzureKeyVaultSecretExists(t *testing.T) {
 		sm.baseClient = tc.mockClient
 		exists, err := sm.SecretExists(context.Background(), tc.pushData)
 
-		if !utils.ErrorContains(err, tc.expectError) {
+		if !esutils.ErrorContains(err, tc.expectError) {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, tc.expectError)
 			} else {

pkg/provider/beyondtrust/provider.go

@@ -37,8 +37,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	esutils "github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	esutils "github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
 const (

pkg/provider/bitwarden/client.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 const (
@@ -63,12 +63,12 @@ func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data e
 		return errors.New("remote key must be defined")
 	}
 
-	value, err := utils.ExtractSecretData(data, secret)
+	value, err := esutils.ExtractSecretData(data, secret)
 	if err != nil {
 		return fmt.Errorf("failed to extract secret data: %w", err)
 	}
 
-	note, err := utils.FetchValueFromMetadata(NoteMetadataKey, data.GetMetadata(), "")
+	note, err := esutils.FetchValueFromMetadata(NoteMetadataKey, data.GetMetadata(), "")
 	if err != nil {
 		return fmt.Errorf("failed to fetch note from metadata: %w", err)
 	}

pkg/provider/bitwarden/provider.go

@@ -29,8 +29,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
 // Provider implements the External Secrets provider interface for Bitwarden Secrets Manager.
@@ -114,7 +114,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 // newHTTPSClient creates a new HTTPS client with the given cert.
 func newHTTPSClient(ctx context.Context, c client.Client, storeKind, namespace string, provider *esv1.BitwardenSecretsManagerProvider) (*http.Client, error) {
-	cert, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   []byte(provider.CABundle),
 		CAProvider: provider.CAProvider,
 		StoreKind:  storeKind,

pkg/provider/chef/chef.go

@@ -37,7 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 
 const (
@@ -177,7 +177,7 @@ func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ esv1.Extern
 
 // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
 func (providerchef *Providerchef) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(providerchef.databagService) {
+	if esutils.IsNil(providerchef.databagService) {
 		return nil, errors.New(errUninitalizedChefProvider)
 	}
 
@@ -265,7 +265,7 @@ func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, e
 // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
 // databagItemName or Property not expected in key.
 func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	if utils.IsNil(providerchef.databagService) {
+	if esutils.IsNil(providerchef.databagService) {
 		return nil, errors.New(errUninitalizedChefProvider)
 	}
 	databagName := ref.Key
@@ -298,7 +298,7 @@ func (providerchef *Providerchef) ValidateStore(store esv1.GenericStore) (admiss
 		return nil, fmt.Errorf(errChefStore, err)
 	}
 	// check namespace compared to kind
-	if err := utils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
+	if err := esutils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
 		return nil, fmt.Errorf(errChefStore, err)
 	}
 	return nil, nil

pkg/provider/chef/chef_test.go

@@ -31,8 +31,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/chef/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 const (
@@ -185,7 +185,7 @@ func TestChefGetSecret(t *testing.T) {
 	for k, v := range successCases {
 		sm.databagService = v.mockClient
 		out, err := sm.GetSecret(ctx, *v.ref)
-		if err != nil && !utils.ErrorContains(err, v.expectError) {
+		if err != nil && !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 		} else if v.expectError != "" && err == nil {
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)
@@ -238,7 +238,7 @@ func TestChefGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 		pc.databagService = v.mockClient
 		out, err := pc.GetSecretMap(ctx, *v.ref)
-		if err != nil && !utils.ErrorContains(err, v.expectError) {
+		if err != nil && !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 		} else if v.expectError != "" && err == nil {
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)

pkg/provider/cloudru/secretmanager/client.go

@@ -31,8 +31,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 var (
@@ -138,7 +138,7 @@ func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind)
 		out[s.GetPath()] = secret
 	}
 
-	return utils.ConvertKeys(ref.ConversionStrategy, out)
+	return esutils.ConvertKeys(ref.ConversionStrategy, out)
 }
 
 func (c *Client) accessSecret(ctx context.Context, key, version string) ([]byte, error) {

pkg/provider/cloudru/secretmanager/provider.go

@@ -36,8 +36,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 func init() {
@@ -163,12 +163,12 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 
 	ref := csmProvider.Auth.SecretRef
-	err := utils.ValidateReferentSecretSelector(store, ref.AccessKeyID)
+	err := esutils.ValidateReferentSecretSelector(store, ref.AccessKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeyID: %w", err)
 	}
 
-	err = utils.ValidateReferentSecretSelector(store, ref.AccessKeySecret)
+	err = esutils.ValidateReferentSecretSelector(store, ref.AccessKeySecret)
 	if err != nil {
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeySecret: %w", err)
 	}

pkg/provider/cloudru/secretmanager/resolver.go

@@ -23,8 +23,8 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 // KubeCredentialsResolver resolves the credentials from the Kubernetes secret.

pkg/provider/conjur/auth_jwt.go

@@ -27,7 +27,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 
 // JwtLifespan is the duration in seconds for which the JWT token is valid (10 minutes).

pkg/provider/conjur/client.go

@@ -28,9 +28,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/conjur/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 var (
@@ -61,12 +61,12 @@ func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
 		return c.client, nil
 	}
 
-	prov, err := util.GetConjurProvider(c.store)
+	prov, err := conjurutil.GetConjurProvider(c.store)
 	if err != nil {
 		return nil, err
 	}
 
-	cert, getCertErr := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, getCertErr := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   []byte(prov.CABundle),
 		CAProvider: prov.CAProvider,
 		StoreKind:  c.store.GetKind(),

pkg/provider/conjur/util/provider.go

@@ -14,9 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package util provides utility functions for working with Conjur providers.
+// Package conjurutil provides utility functions for working with Conjur providers.
 // It contains helper functions for validating and extracting Conjur provider configurations.
-package util
+package conjurutil
 
 import (
 	"errors"