Kaynağa Gözat

chore(linter): fix revive linter issues in `pkg` (#5412)

* chore(linter): fix revive linter errors

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix revive linter errors

* rename the pkg/utils to pkg/esutils

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix import issues

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(linter): fix package comment

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

---------

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
Ogundele Olumide 8 ay önce
ebeveyn
işleme
e92a450a49
100 değiştirilmiş dosya ile 723 ekleme ve 434 silme
  1. 2 1
      pkg/cache/cache.go
  2. 2 2
      pkg/cache/cache_test.go
  3. 5 0
      pkg/common/webhook/models.go
  4. 25 10
      pkg/common/webhook/webhook.go
  5. 2 0
      pkg/constants/constants.go
  6. 5 0
      pkg/controllers/clusterexternalsecret/cesmetrics/cesmetrics.go
  7. 10 3
      pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go
  8. 11 11
      pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller_test.go
  9. 5 0
      pkg/controllers/clusterexternalsecret/util.go
  10. 8 3
      pkg/controllers/clusterpushsecret/clusterpushsecret_controller.go
  11. 8 8
      pkg/controllers/clusterpushsecret/clusterpushsecret_controller_test.go
  12. 4 0
      pkg/controllers/clusterpushsecret/cpsmetrics/cpsmetrics.go
  13. 5 0
      pkg/controllers/clusterpushsecret/util.go
  14. 2 1
      pkg/controllers/common/common.go
  15. 3 0
      pkg/controllers/commontest/common.go
  16. 1 0
      pkg/controllers/crds/common_test.go
  17. 17 3
      pkg/controllers/crds/crds_controller.go
  18. 14 5
      pkg/controllers/externalsecret/esmetrics/esmetrics.go
  19. 10 9
      pkg/controllers/externalsecret/externalsecret_controller.go
  20. 15 15
      pkg/controllers/externalsecret/externalsecret_controller_secret.go
  21. 6 6
      pkg/controllers/externalsecret/externalsecret_controller_template.go
  22. 81 80
      pkg/controllers/externalsecret/externalsecret_controller_test.go
  23. 7 0
      pkg/controllers/generatorstate/generatorstate_controller.go
  24. 3 4
      pkg/controllers/generatorstate/util.go
  25. 7 0
      pkg/controllers/metrics/labels.go
  26. 10 2
      pkg/controllers/pushsecret/psmetrics/psmetrics.go
  27. 31 6
      pkg/controllers/pushsecret/pushsecret_controller.go
  28. 3 3
      pkg/controllers/pushsecret/pushsecret_controller_template.go
  29. 23 23
      pkg/controllers/pushsecret/pushsecret_controller_test.go
  30. 4 0
      pkg/controllers/secretstore/client_manager.go
  31. 4 4
      pkg/controllers/secretstore/client_manager_test.go
  32. 4 0
      pkg/controllers/secretstore/clustersecretstore_controller.go
  33. 12 10
      pkg/controllers/secretstore/common.go
  34. 6 1
      pkg/controllers/secretstore/cssmetrics/cssmetrics.go
  35. 4 0
      pkg/controllers/secretstore/metrics/metrics.go
  36. 4 0
      pkg/controllers/secretstore/secretstore_controller.go
  37. 6 1
      pkg/controllers/secretstore/ssmetrics/ssmetrics.go
  38. 11 0
      pkg/controllers/templating/parser.go
  39. 8 3
      pkg/controllers/util/util.go
  40. 17 2
      pkg/controllers/webhookconfig/webhookconfig.go
  41. 11 3
      pkg/esutils/metadata/metadata.go
  42. 0 0
      pkg/esutils/resolvers/generator.go
  43. 1 1
      pkg/esutils/resolvers/secret_ref.go
  44. 0 0
      pkg/esutils/resolvers/secret_ref_test.go
  45. 22 5
      pkg/esutils/utils.go
  46. 1 1
      pkg/esutils/utils_test.go
  47. 1 0
      pkg/feature/feature.go
  48. 4 0
      pkg/find/find.go
  49. 5 1
      pkg/generator/acr/acr.go
  50. 12 9
      pkg/generator/cloudsmith/cloudsmith.go
  51. 3 3
      pkg/generator/cloudsmith/cloudsmith_test.go
  52. 5 1
      pkg/generator/ecr/ecr.go
  53. 5 4
      pkg/generator/ecr/resolver.go
  54. 7 2
      pkg/generator/gcr/gcr.go
  55. 10 5
      pkg/generator/github/github.go
  56. 5 1
      pkg/generator/grafana/grafana.go
  57. 6 1
      pkg/generator/mfa/mfa.go
  58. 6 2
      pkg/generator/password/password.go
  59. 8 4
      pkg/generator/quay/quay.go
  60. 2 2
      pkg/generator/register/register.go
  61. 5 1
      pkg/generator/sshkey/sshkey.go
  62. 6 3
      pkg/generator/statemanager/statemanager.go
  63. 6 1
      pkg/generator/sts/sts.go
  64. 5 5
      pkg/generator/sts/sts_test.go
  65. 5 1
      pkg/generator/uuid/uuid.go
  66. 8 4
      pkg/generator/vault/vault.go
  67. 1 1
      pkg/generator/vault/vault_test.go
  68. 5 1
      pkg/generator/webhook/webhook.go
  69. 5 1
      pkg/metrics/metrics.go
  70. 14 14
      pkg/provider/akeyless/akeyless.go
  71. 1 1
      pkg/provider/akeyless/akeyless_api.go
  72. 1 1
      pkg/provider/akeyless/auth.go
  73. 21 21
      pkg/provider/alibaba/client.go
  74. 20 20
      pkg/provider/alibaba/kms.go
  75. 11 11
      pkg/provider/alibaba/kms_test.go
  76. 2 2
      pkg/provider/aws/auth/auth.go
  77. 11 9
      pkg/provider/aws/parameterstore/parameterstore.go
  78. 2 2
      pkg/provider/aws/parameterstore/parameterstore_test.go
  79. 9 9
      pkg/provider/aws/provider.go
  80. 10 10
      pkg/provider/aws/secretsmanager/secretsmanager.go
  81. 4 4
      pkg/provider/aws/secretsmanager/secretsmanager_test.go
  82. 2 2
      pkg/provider/aws/util/errors.go
  83. 1 1
      pkg/provider/aws/util/errors_test.go
  84. 1 1
      pkg/provider/aws/util/provider.go
  85. 1 1
      pkg/provider/aws/util/provider_test.go
  86. 2 1
      pkg/provider/aws/util/validation.go
  87. 7 7
      pkg/provider/azure/keyvault/keyvault.go
  88. 1 1
      pkg/provider/azure/keyvault/keyvault_new_sdk.go
  89. 9 9
      pkg/provider/azure/keyvault/keyvault_test.go
  90. 2 2
      pkg/provider/beyondtrust/provider.go
  91. 3 3
      pkg/provider/bitwarden/client.go
  92. 3 3
      pkg/provider/bitwarden/provider.go
  93. 4 4
      pkg/provider/chef/chef.go
  94. 3 3
      pkg/provider/chef/chef_test.go
  95. 2 2
      pkg/provider/cloudru/secretmanager/client.go
  96. 3 3
      pkg/provider/cloudru/secretmanager/provider.go
  97. 1 1
      pkg/provider/cloudru/secretmanager/resolver.go
  98. 1 1
      pkg/provider/conjur/auth_jwt.go
  99. 4 4
      pkg/provider/conjur/client.go
  100. 2 2
      pkg/provider/conjur/util/provider.go

+ 2 - 1
pkg/cache/cache.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package cache provides a generic LRU cache with versioning support.
 package cache
 package cache
 
 
 import (
 import (
@@ -26,7 +27,7 @@ import (
 // lookup values using a key and a version.
 // lookup values using a key and a version.
 // By design, this cache allows access to only a single version of a given key.
 // By design, this cache allows access to only a single version of a given key.
 // A version mismatch is considered a cache miss and the key gets evicted if it exists.
 // A version mismatch is considered a cache miss and the key gets evicted if it exists.
-// When a key is evicted a optional cleanup function is called.
+// When a key is evicted an optional cleanup function is called.
 type Cache[T any] struct {
 type Cache[T any] struct {
 	lru         *lru.Cache
 	lru         *lru.Cache
 	size        int
 	size        int

+ 2 - 2
pkg/cache/cache_test.go

@@ -68,7 +68,7 @@ func TestCacheGet(t *testing.T) {
 
 
 func TestCacheGetInvalidVersion(t *testing.T) {
 func TestCacheGetInvalidVersion(t *testing.T) {
 	var cleanupCalled bool
 	var cleanupCalled bool
-	c, err := New(1, func(client *client) {
+	c, err := New(1, func(*client) {
 		cleanupCalled = true
 		cleanupCalled = true
 	})
 	})
 	if err != nil {
 	if err != nil {
@@ -85,7 +85,7 @@ func TestCacheGetInvalidVersion(t *testing.T) {
 
 
 func TestCacheEvict(t *testing.T) {
 func TestCacheEvict(t *testing.T) {
 	var cleanupCalled bool
 	var cleanupCalled bool
-	c, err := New(1, func(client client) {
+	c, err := New(1, func(client) {
 		cleanupCalled = true
 		cleanupCalled = true
 	})
 	})
 	if err != nil {
 	if err != nil {

+ 5 - 0
pkg/common/webhook/models.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package webhook provides functionality for interacting with external webhook services
+// to fetch and push secret data.
 package webhook
 package webhook
 
 
 import (
 import (
@@ -23,6 +25,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 )
 
 
+// Spec defines the configuration for a webhook provider.
 type Spec struct {
 type Spec struct {
 	// Webhook Method
 	// Webhook Method
 	// +optional, default GET
 	// +optional, default GET
@@ -84,12 +87,14 @@ type NTLMProtocol struct {
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 }
 }
 
 
+// Result defines how to process and extract data from webhook responses.
 type Result struct {
 type Result struct {
 	// Json path of return value
 	// Json path of return value
 	// +optional
 	// +optional
 	JSONPath string `json:"jsonPath,omitempty"`
 	JSONPath string `json:"jsonPath,omitempty"`
 }
 }
 
 
+// Secret defines a secret that can be used in webhook templates.
 type Secret struct {
 type Secret struct {
 	// Name of this secret in templates
 	// Name of this secret in templates
 	Name string `json:"name"`
 	Name string `json:"name"`

+ 25 - 10
pkg/common/webhook/webhook.go

@@ -37,11 +37,13 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
+// Webhook implements functionality to interact with webhook endpoints
+// to retrieve and push secrets.
 type Webhook struct {
 type Webhook struct {
 	Kube          client.Client
 	Kube          client.Client
 	Namespace     string
 	Namespace     string
@@ -77,6 +79,9 @@ func (w *Webhook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 	}
 	}
 	return secret, nil
 	return secret, nil
 }
 }
+
+// GetSecretMap retrieves a secret from a webhook endpoint and processes
+// the response as a map of key-value pairs.
 func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	result, err := w.GetWebhookData(ctx, provider, ref)
 	result, err := w.GetWebhookData(ctx, provider, ref)
 	if err != nil {
 	if err != nil {
@@ -111,7 +116,7 @@ func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.Ex
 	// Change the map of generic objects to a map of byte arrays
 	// Change the map of generic objects to a map of byte arrays
 	values := make(map[string][]byte)
 	values := make(map[string][]byte)
 	for rKey := range jsonvalue {
 	for rKey := range jsonvalue {
-		values[rKey], err = utils.GetByteValueFromMap(jsonvalue, rKey)
+		values[rKey], err = esutils.GetByteValueFromMap(jsonvalue, rKey)
 		if err != nil {
 		if err != nil {
 			return nil, fmt.Errorf("failed to get response for key '%s': %w", rKey, err)
 			return nil, fmt.Errorf("failed to get response for key '%s': %w", rKey, err)
 		}
 		}
@@ -119,6 +124,7 @@ func (w *Webhook) GetSecretMap(ctx context.Context, provider *Spec, ref *esv1.Ex
 	return values, nil
 	return values, nil
 }
 }
 
 
+// GetTemplateData prepares the template data for webhook requests based on the given remote reference.
 func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1.ExternalSecretDataRemoteRef, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1.ExternalSecretDataRemoteRef, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{}
 	data := map[string]map[string]string{}
 	if ref != nil {
 	if ref != nil {
@@ -145,6 +151,7 @@ func (w *Webhook) GetTemplateData(ctx context.Context, ref *esv1.ExternalSecretD
 	return data, nil
 	return data, nil
 }
 }
 
 
+// GetTemplatePushData prepares the template data for webhook push requests.
 func (w *Webhook) GetTemplatePushData(ctx context.Context, ref esv1.PushSecretData, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 func (w *Webhook) GetTemplatePushData(ctx context.Context, ref esv1.PushSecretData, secrets []Secret, urlEncode bool) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{}
 	data := map[string]map[string]string{}
 	if ref != nil {
 	if ref != nil {
@@ -189,6 +196,7 @@ func (w *Webhook) getTemplatedSecrets(ctx context.Context, secrets []Secret, dat
 	return nil
 	return nil
 }
 }
 
 
+// GetWebhookData makes a request to the webhook endpoint and returns the raw response data.
 func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if w.HTTP == nil {
 	if w.HTTP == nil {
 		return nil, errors.New("http client not initialized")
 		return nil, errors.New("http client not initialized")
@@ -225,6 +233,7 @@ func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1.
 	return w.executeRequest(ctx, provider, body.Bytes(), url, method, rawData)
 	return w.executeRequest(ctx, provider, body.Bytes(), url, method, rawData)
 }
 }
 
 
+// PushWebhookData pushes data to a webhook endpoint.
 func (w *Webhook) PushWebhookData(ctx context.Context, provider *Spec, data []byte, remoteKey esv1.PushSecretData) error {
 func (w *Webhook) PushWebhookData(ctx context.Context, provider *Spec, data []byte, remoteKey esv1.PushSecretData) error {
 	if w.HTTP == nil {
 	if w.HTTP == nil {
 		return errors.New("http client not initialized")
 		return errors.New("http client not initialized")
@@ -282,7 +291,7 @@ func (w *Webhook) executeRequest(ctx context.Context, provider *Spec, data []byt
 	}
 	}
 
 
 	if provider.Auth != nil {
 	if provider.Auth != nil {
-		req, err = w.ReqAddAuth(req, provider, ctx)
+		req, err = w.ReqAddAuth(ctx, req, provider)
 		if err != nil {
 		if err != nil {
 			return nil, err
 			return nil, err
 		}
 		}
@@ -312,6 +321,7 @@ func (w *Webhook) executeRequest(ctx context.Context, provider *Spec, data []byt
 	return io.ReadAll(resp.Body)
 	return io.ReadAll(resp.Body)
 }
 }
 
 
+// ReqAddHeaders adds headers to an HTTP request based on provider configuration.
 func (w *Webhook) ReqAddHeaders(r *http.Request, provider *Spec, rawData map[string]map[string]string) (*http.Request, error) {
 func (w *Webhook) ReqAddHeaders(r *http.Request, provider *Spec, rawData map[string]map[string]string) (*http.Request, error) {
 	reqWithHeaders := r
 	reqWithHeaders := r
 
 
@@ -326,7 +336,8 @@ func (w *Webhook) ReqAddHeaders(r *http.Request, provider *Spec, rawData map[str
 	return reqWithHeaders, nil
 	return reqWithHeaders, nil
 }
 }
 
 
-func (w *Webhook) ReqAddAuth(r *http.Request, provider *Spec, ctx context.Context) (*http.Request, error) {
+// ReqAddAuth adds authentication to an HTTP request based on provider configuration.
+func (w *Webhook) ReqAddAuth(ctx context.Context, r *http.Request, provider *Spec) (*http.Request, error) {
 	reqWithAuth := r
 	reqWithAuth := r
 
 
 	//nolint:gocritic // singleCaseSwitch: we prefer to keep it as a switch for clarity
 	//nolint:gocritic // singleCaseSwitch: we prefer to keep it as a switch for clarity
@@ -352,12 +363,13 @@ func (w *Webhook) ReqAddAuth(r *http.Request, provider *Spec, ctx context.Contex
 	return reqWithAuth, nil
 	return reqWithAuth, nil
 }
 }
 
 
+// GetHTTPClient returns an HTTP client configured according to the provider specification.
 func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Client, error) {
 func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Client, error) {
-	client := &http.Client{}
+	c := &http.Client{}
 
 
 	// add timeout to client if it is there
 	// add timeout to client if it is there
 	if provider.Timeout != nil {
 	if provider.Timeout != nil {
-		client.Timeout = provider.Timeout.Duration
+		c.Timeout = provider.Timeout.Duration
 	}
 	}
 
 
 	// add CA to client if it is there
 	// add CA to client if it is there
@@ -373,12 +385,12 @@ func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Clie
 			Renegotiation: tls.RenegotiateOnceAsClient,
 			Renegotiation: tls.RenegotiateOnceAsClient,
 		}
 		}
 
 
-		client.Transport = &http.Transport{TLSClientConfig: tlsConf}
+		c.Transport = &http.Transport{TLSClientConfig: tlsConf}
 	}
 	}
 	// add authentication method if it s there
 	// add authentication method if it s there
 	if provider.Auth != nil {
 	if provider.Auth != nil {
 		if provider.Auth.NTLM != nil {
 		if provider.Auth.NTLM != nil {
-			client.Transport =
+			c.Transport =
 				&ntlmssp.Negotiator{
 				&ntlmssp.Negotiator{
 					RoundTripper: &http.Transport{
 					RoundTripper: &http.Transport{
 						TLSNextProto: map[string]func(authority string, c *tls.Conn) http.RoundTripper{}, // Needed to disable HTTP/2
 						TLSNextProto: map[string]func(authority string, c *tls.Conn) http.RoundTripper{}, // Needed to disable HTTP/2
@@ -390,12 +402,13 @@ func (w *Webhook) GetHTTPClient(ctx context.Context, provider *Spec) (*http.Clie
 	}
 	}
 
 
 	// return client with all add-ons
 	// return client with all add-ons
-	return client, nil
+	return c, nil
 }
 }
 
 
+// GetCACertPool returns a certificate pool for TLS connections based on provider configuration.
 func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.CertPool, error) {
 func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.CertPool, error) {
 	caCertPool := x509.NewCertPool()
 	caCertPool := x509.NewCertPool()
-	ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	ca, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   provider.CABundle,
 		CABundle:   provider.CABundle,
 		CAProvider: provider.CAProvider,
 		CAProvider: provider.CAProvider,
 		StoreKind:  w.StoreKind,
 		StoreKind:  w.StoreKind,
@@ -413,6 +426,7 @@ func (w *Webhook) GetCACertPool(ctx context.Context, provider *Spec) (*x509.Cert
 	return caCertPool, nil
 	return caCertPool, nil
 }
 }
 
 
+// ExecuteTemplateString executes a template and returns the result as a string.
 func ExecuteTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
 func ExecuteTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
 	result, err := ExecuteTemplate(tmpl, data)
 	result, err := ExecuteTemplate(tmpl, data)
 	if err != nil {
 	if err != nil {
@@ -421,6 +435,7 @@ func ExecuteTemplateString(tmpl string, data map[string]map[string]string) (stri
 	return result.String(), nil
 	return result.String(), nil
 }
 }
 
 
+// ExecuteTemplate executes a template and returns the result as a bytes.Buffer.
 func ExecuteTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
 func ExecuteTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
 	var result bytes.Buffer
 	var result bytes.Buffer
 	if tmpl == "" {
 	if tmpl == "" {

+ 2 - 0
pkg/constants/constants.go

@@ -14,8 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package constants holds constant values for the project.
 package constants
 package constants
 
 
+// These constants are used for identifying providers and calls to them.
 const (
 const (
 	ProviderAWSSM                = "AWS/SecretsManager"
 	ProviderAWSSM                = "AWS/SecretsManager"
 	CallAWSSMGetSecretValue      = "GetSecretValue"
 	CallAWSSMGetSecretValue      = "GetSecretValue"

+ 5 - 0
pkg/controllers/clusterexternalsecret/cesmetrics/cesmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package cesmetrics provides functionality for tracking and exposing metrics related to ClusterExternalSecret resources.
 package cesmetrics
 package cesmetrics
 
 
 import (
 import (
@@ -25,7 +26,9 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 )
 
 
+// Constants for metrics subsystem and keys.
 const (
 const (
+	// ClusterExternalSecretSubsystem is the subsystem name used for ClusterExternalSecret metrics.
 	ClusterExternalSecretSubsystem            = "clusterexternalsecret"
 	ClusterExternalSecretSubsystem            = "clusterexternalsecret"
 	ClusterExternalSecretReconcileDurationKey = "reconcile_duration"
 	ClusterExternalSecretReconcileDurationKey = "reconcile_duration"
 	ClusterExternalSecretStatusConditionKey   = "status_condition"
 	ClusterExternalSecretStatusConditionKey   = "status_condition"
@@ -56,10 +59,12 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }
 
 
+// UpdateClusterExternalSecretCondition updates the metrics for a ClusterExternalSecret based on its condition.
 func UpdateClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition *esv1.ClusterExternalSecretStatusCondition) {
 func UpdateClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition *esv1.ClusterExternalSecretStatusCondition) {
 	if condition.Status != v1.ConditionTrue {
 	if condition.Status != v1.ConditionTrue {
 		// This should not happen
 		// This should not happen

+ 10 - 3
pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package clusterexternalsecret implements a controller for managing ClusterExternalSecret resources,
+// which allow creating ExternalSecrets across multiple namespaces.
 package clusterexternalsecret
 package clusterexternalsecret
 
 
 import (
 import (
@@ -43,7 +45,7 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 // Reconciler reconciles a ClusterExternalSecret object.
 // Reconciler reconciles a ClusterExternalSecret object.
@@ -67,6 +69,11 @@ const (
 	ClusterExternalSecretFinalizer = "externalsecrets.external-secrets.io/clusterexternalsecret-cleanup"
 	ClusterExternalSecretFinalizer = "externalsecrets.external-secrets.io/clusterexternalsecret-cleanup"
 )
 )
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("ClusterExternalSecret", req.NamespacedName)
 	log := r.Log.WithValues("ClusterExternalSecret", req.NamespacedName)
 
 
@@ -148,7 +155,7 @@ func (r *Reconciler) reconcile(ctx context.Context, log logr.Logger, clusterExte
 	}
 	}
 	selectors = append(selectors, clusterExternalSecret.Spec.NamespaceSelectors...)
 	selectors = append(selectors, clusterExternalSecret.Spec.NamespaceSelectors...)
 
 
-	namespaces, err := utils.GetTargetNamespaces(ctx, r.Client, clusterExternalSecret.Spec.Namespaces, selectors)
+	namespaces, err := esutils.GetTargetNamespaces(ctx, r.Client, clusterExternalSecret.Spec.Namespaces, selectors)
 	if err != nil {
 	if err != nil {
 		log.Error(err, "failed to get target Namespaces")
 		log.Error(err, "failed to get target Namespaces")
 		failedNamespaces := map[string]error{
 		failedNamespaces := map[string]error{
@@ -524,7 +531,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Watches(
 		Watches(
 			&v1.Namespace{},
 			&v1.Namespace{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
-			builder.WithPredicates(utils.NamespacePredicate()),
+			builder.WithPredicates(esutils.NamespacePredicate()),
 		).
 		).
 		Complete(r)
 		Complete(r)
 }
 }

+ 11 - 11
pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller_test.go

@@ -524,7 +524,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces := defaultClusterExternalSecret()
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
@@ -602,7 +602,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces := defaultClusterExternalSecret()
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
@@ -663,14 +663,14 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces := defaultClusterExternalSecret()
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
 				ces.Spec.NamespaceSelector = &metav1.LabelSelector{
 					MatchLabels: map[string]string{metadataLabelName: "no-namespace-matches"},
 					MatchLabels: map[string]string{metadataLabelName: "no-namespace-matches"},
 				}
 				}
 				return *ces
 				return *ces
 			},
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
 						Name: created.Name,
@@ -687,7 +687,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				}
 				}
 			},
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, _ esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{}
 				return []esv1.ExternalSecret{}
 			},
 			},
 		}),
 		}),
@@ -718,7 +718,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces := defaultClusterExternalSecret()
 				ces.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 				ces.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
 					{
@@ -730,7 +730,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 				}
 				}
 				return *ces
 				return *ces
 			},
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
 						Name: created.Name,
@@ -751,7 +751,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				}
 				}
 			},
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{
 				return []esv1.ExternalSecret{
 					{
 					{
 						ObjectMeta: metav1.ObjectMeta{
 						ObjectMeta: metav1.ObjectMeta{
@@ -778,14 +778,14 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterExternalSecret: func(namespaces []v1.Namespace) esv1.ClusterExternalSecret {
+			clusterExternalSecret: func(_ []v1.Namespace) esv1.ClusterExternalSecret {
 				ces := defaultClusterExternalSecret()
 				ces := defaultClusterExternalSecret()
 				// does-not-exists tests that we would continue on to the next and not stop if the
 				// does-not-exists tests that we would continue on to the next and not stop if the
 				// namespace hasn't been created yet.
 				// namespace hasn't been created yet.
 				ces.Spec.Namespaces = []string{"does-not-exist", "not-matching-namespace"}
 				ces.Spec.Namespaces = []string{"does-not-exist", "not-matching-namespace"}
 				return *ces
 				return *ces
 			},
 			},
-			expectedClusterExternalSecret: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
+			expectedClusterExternalSecret: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) esv1.ClusterExternalSecret {
 				return esv1.ClusterExternalSecret{
 				return esv1.ClusterExternalSecret{
 					ObjectMeta: metav1.ObjectMeta{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
 						Name: created.Name,
@@ -805,7 +805,7 @@ var _ = Describe("ClusterExternalSecret controller", func() {
 					},
 					},
 				}
 				}
 			},
 			},
-			expectedExternalSecrets: func(namespaces []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
+			expectedExternalSecrets: func(_ []v1.Namespace, created esv1.ClusterExternalSecret) []esv1.ExternalSecret {
 				return []esv1.ExternalSecret{
 				return []esv1.ExternalSecret{
 					{
 					{
 						ObjectMeta: metav1.ObjectMeta{
 						ObjectMeta: metav1.ObjectMeta{

+ 5 - 0
pkg/controllers/clusterexternalsecret/util.go

@@ -23,6 +23,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
 )
 )
 
 
+// NewClusterExternalSecretCondition creates a new ClusterExternalSecret condition based on failed namespaces.
+// If there are no failed namespaces, it returns a Ready condition with True status.
+// Otherwise, it returns a Ready condition with False status and an error message.
 func NewClusterExternalSecretCondition(failedNamespaces map[string]error) *esv1.ClusterExternalSecretStatusCondition {
 func NewClusterExternalSecretCondition(failedNamespaces map[string]error) *esv1.ClusterExternalSecretStatusCondition {
 	if len(failedNamespaces) == 0 {
 	if len(failedNamespaces) == 0 {
 		return &esv1.ClusterExternalSecretStatusCondition{
 		return &esv1.ClusterExternalSecretStatusCondition{
@@ -40,6 +43,8 @@ func NewClusterExternalSecretCondition(failedNamespaces map[string]error) *esv1.
 	return condition
 	return condition
 }
 }
 
 
+// SetClusterExternalSecretCondition updates the conditions on the ClusterExternalSecret status
+// and updates the corresponding metrics.
 func SetClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition esv1.ClusterExternalSecretStatusCondition) {
 func SetClusterExternalSecretCondition(ces *esv1.ClusterExternalSecret, condition esv1.ClusterExternalSecretStatusCondition) {
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	cesmetrics.UpdateClusterExternalSecretCondition(ces, &condition)
 	cesmetrics.UpdateClusterExternalSecretCondition(ces, &condition)

+ 8 - 3
pkg/controllers/clusterpushsecret/clusterpushsecret_controller.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package clusterpushsecret implements a controller for managing ClusterPushSecret resources,
+// which allow pushing secrets to external systems across multiple namespaces.
 package clusterpushsecret
 package clusterpushsecret
 
 
 import (
 import (
@@ -42,7 +44,7 @@ import (
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 // Reconciler reconciles a ClusterPushSecret object.
 // Reconciler reconciles a ClusterPushSecret object.
@@ -62,6 +64,9 @@ const (
 	errNamespacesFailed     = "one or more namespaces failed"
 	errNamespacesFailed     = "one or more namespaces failed"
 )
 )
 
 
+// Reconcile handles the reconciliation loop for ClusterPushSecret resources.
+// It ensures that PushSecrets are created in selected namespaces according to the
+// ClusterPushSecret specification and maintains their status.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("ClusterPushSecret", req.NamespacedName)
 	log := r.Log.WithValues("ClusterPushSecret", req.NamespacedName)
 
 
@@ -102,7 +107,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 
 	cps.Status.PushSecretName = esName
 	cps.Status.PushSecretName = esName
 
 
-	namespaces, err := utils.GetTargetNamespaces(ctx, r.Client, nil, cps.Spec.NamespaceSelectors)
+	namespaces, err := esutils.GetTargetNamespaces(ctx, r.Client, nil, cps.Spec.NamespaceSelectors)
 	if err != nil {
 	if err != nil {
 		log.Error(err, "failed to get target Namespaces")
 		log.Error(err, "failed to get target Namespaces")
 		r.markAsFailed("failed to get target Namespaces", &cps)
 		r.markAsFailed("failed to get target Namespaces", &cps)
@@ -322,7 +327,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Watches(
 		Watches(
 			&v1.Namespace{},
 			&v1.Namespace{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForNamespace),
-			builder.WithPredicates(utils.NamespacePredicate()),
+			builder.WithPredicates(esutils.NamespacePredicate()),
 		).
 		).
 		Complete(r)
 		Complete(r)
 }
 }

+ 8 - 8
pkg/controllers/clusterpushsecret/clusterpushsecret_controller_test.go

@@ -630,7 +630,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				},
 				},
 			},
 			},
 			sourceSecret: defaultSourceSecret,
 			sourceSecret: defaultSourceSecret,
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes := defaultClusterPushSecret()
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
@@ -704,7 +704,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				},
 				},
 			},
 			},
 			sourceSecret: defaultSourceSecret,
 			sourceSecret: defaultSourceSecret,
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes := defaultClusterPushSecret()
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.RefreshInterval = &metav1.Duration{Duration: 100 * time.Millisecond}
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
@@ -767,7 +767,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes := defaultClusterPushSecret()
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
 					{
@@ -777,7 +777,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				return *pes
 				return *pes
 			},
 			},
 			sourceSecret: defaultSourceSecret,
 			sourceSecret: defaultSourceSecret,
-			expectedClusterPushSecret: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
+			expectedClusterPushSecret: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
 				return v1alpha1.ClusterPushSecret{
 				return v1alpha1.ClusterPushSecret{
 					ObjectMeta: metav1.ObjectMeta{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
 						Name: created.Name,
@@ -794,7 +794,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 					},
 				}
 				}
 			},
 			},
-			expectedPushSecrets: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
+			expectedPushSecrets: func([]v1.Namespace, v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
 				return []v1alpha1.PushSecret{}
 				return []v1alpha1.PushSecret{}
 			},
 			},
 		}),
 		}),
@@ -825,7 +825,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 					},
 				},
 				},
 			},
 			},
-			clusterPushSecret: func(namespaces []v1.Namespace) v1alpha1.ClusterPushSecret {
+			clusterPushSecret: func(_ []v1.Namespace) v1alpha1.ClusterPushSecret {
 				pes := defaultClusterPushSecret()
 				pes := defaultClusterPushSecret()
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 				pes.Spec.NamespaceSelectors = []*metav1.LabelSelector{
 					{
 					{
@@ -838,7 +838,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 				return *pes
 				return *pes
 			},
 			},
 			sourceSecret: defaultSourceSecret,
 			sourceSecret: defaultSourceSecret,
-			expectedClusterPushSecret: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
+			expectedClusterPushSecret: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) v1alpha1.ClusterPushSecret {
 				return v1alpha1.ClusterPushSecret{
 				return v1alpha1.ClusterPushSecret{
 					ObjectMeta: metav1.ObjectMeta{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: created.Name,
 						Name: created.Name,
@@ -859,7 +859,7 @@ var _ = Describe("ClusterPushSecret controller", func() {
 					},
 					},
 				}
 				}
 			},
 			},
-			expectedPushSecrets: func(namespaces []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
+			expectedPushSecrets: func(_ []v1.Namespace, created v1alpha1.ClusterPushSecret) []v1alpha1.PushSecret {
 				return []v1alpha1.PushSecret{
 				return []v1alpha1.PushSecret{
 					{
 					{
 						ObjectMeta: metav1.ObjectMeta{
 						ObjectMeta: metav1.ObjectMeta{

+ 4 - 0
pkg/controllers/clusterpushsecret/cpsmetrics/cpsmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package cpsmetrics provides functionality for tracking and exposing metrics related to ClusterPushSecret resources.
 package cpsmetrics
 package cpsmetrics
 
 
 import (
 import (
@@ -25,6 +26,7 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 )
 
 
+// Constants for metrics subsystem and keys.
 const (
 const (
 	ClusterPushSecretSubsystem            = "clusterpushsecret"
 	ClusterPushSecretSubsystem            = "clusterpushsecret"
 	ClusterPushSecretReconcileDurationKey = "reconcile_duration"
 	ClusterPushSecretReconcileDurationKey = "reconcile_duration"
@@ -56,10 +58,12 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }
 
 
+// UpdateClusterPushSecretCondition updates the metrics for a ClusterPushSecret based on its condition.
 func UpdateClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition *v1alpha1.PushSecretStatusCondition) {
 func UpdateClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition *v1alpha1.PushSecretStatusCondition) {
 	if condition.Status != v1.ConditionTrue {
 	if condition.Status != v1.ConditionTrue {
 		// This should not happen
 		// This should not happen

+ 5 - 0
pkg/controllers/clusterpushsecret/util.go

@@ -23,6 +23,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
 )
 )
 
 
+// NewClusterPushSecretCondition creates a new PushSecretStatusCondition based on failed namespaces.
+// If there are no failed namespaces, it returns a Ready condition with True status.
+// Otherwise, it returns a Ready condition with False status and an error message.
 func NewClusterPushSecretCondition(failedNamespaces map[string]error) *v1alpha1.PushSecretStatusCondition {
 func NewClusterPushSecretCondition(failedNamespaces map[string]error) *v1alpha1.PushSecretStatusCondition {
 	if len(failedNamespaces) == 0 {
 	if len(failedNamespaces) == 0 {
 		return &v1alpha1.PushSecretStatusCondition{
 		return &v1alpha1.PushSecretStatusCondition{
@@ -40,6 +43,8 @@ func NewClusterPushSecretCondition(failedNamespaces map[string]error) *v1alpha1.
 	return condition
 	return condition
 }
 }
 
 
+// SetClusterPushSecretCondition updates the conditions on the ClusterPushSecret status
+// and updates the corresponding metrics.
 func SetClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition v1alpha1.PushSecretStatusCondition) {
 func SetClusterPushSecretCondition(ces *v1alpha1.ClusterPushSecret, condition v1alpha1.PushSecretStatusCondition) {
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	ces.Status.Conditions = append(filterOutCondition(ces.Status.Conditions, condition.Type), condition)
 	cpsmetrics.UpdateClusterPushSecretCondition(ces, &condition)
 	cpsmetrics.UpdateClusterPushSecretCondition(ces, &condition)

+ 2 - 1
pkg/controllers/common/common.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package common
+// Package ctrlcommon provides shared utility functions for controllers
+package ctrlcommon
 
 
 import (
 import (
 	"context"
 	"context"

+ 3 - 0
pkg/controllers/commontest/common.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package commontest provides testing utilities for controllers.
 package commontest
 package commontest
 
 
 import (
 import (
@@ -32,6 +33,7 @@ func CreateNamespace(baseName string, c client.Client) (string, error) {
 	return CreateNamespaceWithLabels(baseName, c, map[string]string{})
 	return CreateNamespaceWithLabels(baseName, c, map[string]string{})
 }
 }
 
 
+// CreateNamespaceWithLabels creates a namespace with the given labels and returns its name.
 func CreateNamespaceWithLabels(baseName string, c client.Client, labels map[string]string) (string, error) {
 func CreateNamespaceWithLabels(baseName string, c client.Client, labels map[string]string) (string, error) {
 	genName := fmt.Sprintf("ctrl-test-%v", baseName)
 	genName := fmt.Sprintf("ctrl-test-%v", baseName)
 	ns := &v1.Namespace{
 	ns := &v1.Namespace{
@@ -54,6 +56,7 @@ func CreateNamespaceWithLabels(baseName string, c client.Client, labels map[stri
 	return ns.Name, nil
 	return ns.Name, nil
 }
 }
 
 
+// HasOwnerRef checks if the given ObjectMeta has an owner reference with the specified kind and name.
 func HasOwnerRef(meta metav1.ObjectMeta, kind, name string) bool {
 func HasOwnerRef(meta metav1.ObjectMeta, kind, name string) bool {
 	for _, ref := range meta.OwnerReferences {
 	for _, ref := range meta.OwnerReferences {
 		if ref.Kind == kind && ref.Name == name {
 		if ref.Kind == kind && ref.Name == name {

+ 1 - 0
pkg/controllers/crds/common_test.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package crds contains controllers for handling Custom Resource Definitions.
 package crds
 package crds
 
 
 import (
 import (

+ 17 - 3
pkg/controllers/crds/crds_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package crds implements controllers for handling Custom Resource Definitions.
 package crds
 package crds
 
 
 import (
 import (
@@ -35,7 +36,7 @@ import (
 	"sync"
 	"sync"
 	"time"
 	"time"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/go-logr/logr"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -54,11 +55,13 @@ const (
 	caCertName           = "ca.crt"
 	caCertName           = "ca.crt"
 	caKeyName            = "ca.key"
 	caKeyName            = "ca.key"
 	certValidityDuration = 10 * 365 * 24 * time.Hour
 	certValidityDuration = 10 * 365 * 24 * time.Hour
-	LookaheadInterval    = 90 * 24 * time.Hour
+	// LookaheadInterval defines the interval to look ahead for certificate expiration.
+	LookaheadInterval = 90 * 24 * time.Hour
 
 
 	errResNotReady = "resource not ready: %s"
 	errResNotReady = "resource not ready: %s"
 )
 )
 
 
+// Reconciler implements a reconciliation handler for CRD controllers.
 type Reconciler struct {
 type Reconciler struct {
 	client.Client
 	client.Client
 	Log             logr.Logger
 	Log             logr.Logger
@@ -83,6 +86,7 @@ type Reconciler struct {
 	readyStatusMap   map[string]bool
 	readyStatusMap   map[string]bool
 }
 }
 
 
+// Opts defines configuration options for the CRD controller.
 type Opts struct {
 type Opts struct {
 	SvcName         string
 	SvcName         string
 	SvcNamespace    string
 	SvcNamespace    string
@@ -91,6 +95,7 @@ type Opts struct {
 	Resources       []string
 	Resources       []string
 }
 }
 
 
+// New returns a new CRD controller instance.
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, logger logr.Logger,
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, logger logr.Logger,
 	interval time.Duration, opts Opts) *Reconciler {
 	interval time.Duration, opts Opts) *Reconciler {
 	return &Reconciler{
 	return &Reconciler{
@@ -111,6 +116,7 @@ func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan stru
 	}
 	}
 }
 }
 
 
+// CertInfo holds certificate data information.
 type CertInfo struct {
 type CertInfo struct {
 	CertDir  string
 	CertDir  string
 	CertName string
 	CertName string
@@ -118,6 +124,7 @@ type CertInfo struct {
 	CAName   string
 	CAName   string
 }
 }
 
 
+// Reconcile handles the reconciliation logic for CRDs.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("CustomResourceDefinition", req.NamespacedName)
 	log := r.Log.WithValues("CustomResourceDefinition", req.NamespacedName)
 	if slices.Contains(r.CrdResources, req.NamespacedName.Name) {
 	if slices.Contains(r.CrdResources, req.NamespacedName.Name) {
@@ -152,7 +159,7 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 	if err := r.checkCRDs(); err != nil {
 	if err := r.checkCRDs(); err != nil {
 		return err
 		return err
 	}
 	}
-	return utils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
+	return esutils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
 }
 }
 
 
 func (r *Reconciler) checkCRDs() error {
 func (r *Reconciler) checkCRDs() error {
@@ -167,6 +174,7 @@ func (r *Reconciler) checkCRDs() error {
 	return nil
 	return nil
 }
 }
 
 
+// SetupWithManager sets up the controller with the Manager.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("custom-resource-definition")
 	r.recorder = mgr.GetEventRecorderFor("custom-resource-definition")
 	return ctrl.NewControllerManagedBy(mgr).
 	return ctrl.NewControllerManagedBy(mgr).
@@ -254,6 +262,7 @@ func injectCert(crd *apiext.CustomResourceDefinition, certPem []byte) error {
 	return nil
 	return nil
 }
 }
 
 
+// KeyPairArtifacts stores certificate key pair data.
 type KeyPairArtifacts struct {
 type KeyPairArtifacts struct {
 	Cert    *x509.Certificate
 	Cert    *x509.Certificate
 	Key     *rsa.PrivateKey
 	Key     *rsa.PrivateKey
@@ -261,6 +270,7 @@ type KeyPairArtifacts struct {
 	KeyPEM  []byte
 	KeyPEM  []byte
 }
 }
 
 
+// populateSecret populates the secret with the given certificate and key data.
 func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *corev1.Secret) {
 func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *corev1.Secret) {
 	if secret.Data == nil {
 	if secret.Data == nil {
 		secret.Data = make(map[string][]byte)
 		secret.Data = make(map[string][]byte)
@@ -271,6 +281,7 @@ func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *cor
 	secret.Data[keyName] = key
 	secret.Data[keyName] = key
 }
 }
 
 
+// ValidCert checks if the provided certificate is valid for the given DNS name.
 func ValidCert(caCert, cert, key []byte, dnsName string, at time.Time) (bool, error) {
 func ValidCert(caCert, cert, key []byte, dnsName string, at time.Time) (bool, error) {
 	if len(caCert) == 0 || len(cert) == 0 || len(key) == 0 {
 	if len(caCert) == 0 || len(cert) == 0 || len(key) == 0 {
 		return false, errors.New("empty cert")
 		return false, errors.New("empty cert")
@@ -414,6 +425,7 @@ func buildArtifactsFromSecret(secret *corev1.Secret) (*KeyPairArtifacts, error)
 	}, nil
 	}, nil
 }
 }
 
 
+// CreateCACert creates a new CA certificate.
 func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, error) {
 func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, error) {
 	templ := &x509.Certificate{
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(0),
 		SerialNumber: big.NewInt(0),
@@ -450,6 +462,7 @@ func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, erro
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 }
 }
 
 
+// CreateCAChain creates a certificate chain using the provided CA.
 func (r *Reconciler) CreateCAChain(ca *KeyPairArtifacts, begin, end time.Time) (*KeyPairArtifacts, error) {
 func (r *Reconciler) CreateCAChain(ca *KeyPairArtifacts, begin, end time.Time) (*KeyPairArtifacts, error) {
 	templ := &x509.Certificate{
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(2),
 		SerialNumber: big.NewInt(2),
@@ -486,6 +499,7 @@ func (r *Reconciler) CreateCAChain(ca *KeyPairArtifacts, begin, end time.Time) (
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
 }
 }
 
 
+// CreateCertPEM creates a new certificate in PEM format.
 func (r *Reconciler) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) {
 func (r *Reconciler) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) {
 	templ := &x509.Certificate{
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		SerialNumber: big.NewInt(1),

+ 14 - 5
pkg/controllers/externalsecret/esmetrics/esmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package esmetrics provides metrics functionality for the ExternalSecret controller
 package esmetrics
 package esmetrics
 
 
 import (
 import (
@@ -26,10 +27,15 @@ import (
 )
 )
 
 
 const (
 const (
-	ExternalSecretSubsystem            = "externalsecret"
-	SyncCallsKey                       = "sync_calls_total"
-	SyncCallsErrorKey                  = "sync_calls_error"
-	ExternalSecretStatusConditionKey   = "status_condition"
+	// ExternalSecretSubsystem is the subsystem for the external-secret controller.
+	ExternalSecretSubsystem = "externalsecret"
+	// SyncCallsKey is the metric key for sync calls.
+	SyncCallsKey = "sync_calls_total"
+	// SyncCallsErrorKey is the metric key for sync call errors.
+	SyncCallsErrorKey = "sync_calls_error"
+	// ExternalSecretStatusConditionKey is the metric key for the external secret status condition.
+	ExternalSecretStatusConditionKey = "status_condition"
+	// ExternalSecretReconcileDurationKey is the metric key for the external secret reconcile duration.
 	ExternalSecretReconcileDurationKey = "reconcile_duration"
 	ExternalSecretReconcileDurationKey = "reconcile_duration"
 )
 )
 
 
@@ -37,7 +43,7 @@ var counterVecMetrics = map[string]*prometheus.CounterVec{}
 
 
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
 
 
-// Called at the root to set-up the metric logic using the
+// SetUpMetrics is called at the root to set-up the metric logic using the
 // config flags provided.
 // config flags provided.
 func SetUpMetrics() {
 func SetUpMetrics() {
 	// Obtain the prometheus metrics and register
 	// Obtain the prometheus metrics and register
@@ -78,6 +84,7 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// UpdateExternalSecretCondition is a function that updates the condition of an external secret.
 func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.ExternalSecretStatusCondition, value float64) {
 func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.ExternalSecretStatusCondition, value float64) {
 	esInfo := make(map[string]string)
 	esInfo := make(map[string]string)
 	esInfo["name"] = es.Name
 	esInfo["name"] = es.Name
@@ -148,10 +155,12 @@ func UpdateExternalSecretCondition(es *esv1.ExternalSecret, condition *esv1.Exte
 		})).Set(value)
 		})).Set(value)
 }
 }
 
 
+// GetCounterVec returns the counter vec for the given key.
 func GetCounterVec(key string) *prometheus.CounterVec {
 func GetCounterVec(key string) *prometheus.CounterVec {
 	return counterVecMetrics[key]
 	return counterVecMetrics[key]
 }
 }
 
 
+// GetGaugeVec returns the gauge vec for the given key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }

+ 10 - 9
pkg/controllers/externalsecret/externalsecret_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package externalsecret implements the controller for managing ExternalSecret resources
 package externalsecret
 package externalsecret
 
 
 import (
 import (
@@ -54,8 +55,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 
 
 	// Loading registered generators.
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
@@ -472,7 +473,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		// we also use a label to keep track of the owner of the secret
 		// we also use a label to keep track of the owner of the secret
 		// this lets us remove secrets that are no longer needed if the target secret name changes
 		// this lets us remove secrets that are no longer needed if the target secret name changes
 		if externalSecret.Spec.Target.CreationPolicy == esv1.CreatePolicyOwner {
 		if externalSecret.Spec.Target.CreationPolicy == esv1.CreatePolicyOwner {
-			lblValue := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
+			lblValue := esutils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
 			secret.Labels[esv1.LabelOwner] = lblValue
 			secret.Labels[esv1.LabelOwner] = lblValue
 		} else {
 		} else {
 			// the label should not be set if the creation policy is not Owner
 			// the label should not be set if the creation policy is not Owner
@@ -480,7 +481,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		}
 		}
 
 
 		secret.Labels[esv1.LabelManaged] = esv1.LabelManagedValue
 		secret.Labels[esv1.LabelManaged] = esv1.LabelManagedValue
-		secret.Annotations[esv1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+		secret.Annotations[esv1.AnnotationDataHash] = esutils.ObjectHash(secret.Data)
 
 
 		return nil
 		return nil
 	}
 	}
@@ -605,7 +606,7 @@ func (r *Reconciler) markAsDone(externalSecret *esv1.ExternalSecret, start time.
 	SetExternalSecretCondition(externalSecret, *newReadyCondition)
 	SetExternalSecretCondition(externalSecret, *newReadyCondition)
 
 
 	externalSecret.Status.RefreshTime = metav1.NewTime(start)
 	externalSecret.Status.RefreshTime = metav1.NewTime(start)
-	externalSecret.Status.SyncedResourceVersion = util.GetResourceVersion(externalSecret.ObjectMeta)
+	externalSecret.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(externalSecret.ObjectMeta)
 
 
 	// if the status or reason has changed, log at the appropriate verbosity level
 	// if the status or reason has changed, log at the appropriate verbosity level
 	if oldReadyCondition == nil || oldReadyCondition.Status != newReadyCondition.Status || oldReadyCondition.Reason != newReadyCondition.Reason {
 	if oldReadyCondition == nil || oldReadyCondition.Status != newReadyCondition.Status || oldReadyCondition.Reason != newReadyCondition.Reason {
@@ -659,7 +660,7 @@ func (r *Reconciler) cleanupManagedSecrets(ctx context.Context, log logr.Logger,
 }
 }
 
 
 func (r *Reconciler) deleteOrphanedSecrets(ctx context.Context, externalSecret *esv1.ExternalSecret, secretName string) error {
 func (r *Reconciler) deleteOrphanedSecrets(ctx context.Context, externalSecret *esv1.ExternalSecret, secretName string) error {
-	ownerLabel := utils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
+	ownerLabel := esutils.ObjectHash(fmt.Sprintf("%v/%v", externalSecret.Namespace, externalSecret.Name))
 
 
 	// we use a PartialObjectMetadataList to avoid loading the full secret objects
 	// we use a PartialObjectMetadataList to avoid loading the full secret objects
 	// and because the Secrets partials are always cached due to WatchesMetadata() in SetupWithManager()
 	// and because the Secrets partials are always cached due to WatchesMetadata() in SetupWithManager()
@@ -930,7 +931,7 @@ func shouldRefresh(es *esv1.ExternalSecret) bool {
 			return true
 			return true
 		}
 		}
 
 
-		return es.Status.SyncedResourceVersion != util.GetResourceVersion(es.ObjectMeta)
+		return es.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(es.ObjectMeta)
 
 
 	case esv1.RefreshPolicyPeriodic:
 	case esv1.RefreshPolicyPeriodic:
 		return shouldRefreshPeriodic(es)
 		return shouldRefreshPeriodic(es)
@@ -947,7 +948,7 @@ func shouldRefreshPeriodic(es *esv1.ExternalSecret) bool {
 	}
 	}
 
 
 	// if the ExternalSecret has been updated, we should refresh
 	// if the ExternalSecret has been updated, we should refresh
-	if es.Status.SyncedResourceVersion != util.GetResourceVersion(es.ObjectMeta) {
+	if es.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(es.ObjectMeta) {
 		return true
 		return true
 	}
 	}
 
 
@@ -983,7 +984,7 @@ func isSecretValid(existingSecret *v1.Secret, es *esv1.ExternalSecret) bool {
 
 
 	// if the data-hash annotation is missing or incorrect, then it's invalid
 	// if the data-hash annotation is missing or incorrect, then it's invalid
 	// this is how we know if the data has chanced since we last updated the secret
 	// this is how we know if the data has chanced since we last updated the secret
-	if existingSecret.Annotations[esv1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
+	if existingSecret.Annotations[esv1.AnnotationDataHash] != esutils.ObjectHash(existingSecret.Data) {
 		return false
 		return false
 	}
 	}
 
 

+ 15 - 15
pkg/controllers/externalsecret/externalsecret_controller_secret.go

@@ -29,16 +29,16 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 
 
 	// Loading registered generators.
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 )
 )
 
 
-// getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
+// GetProviderSecretData returns the provider's secret data with the provided ExternalSecret.
 func (r *Reconciler) GetProviderSecretData(ctx context.Context, externalSecret *esv1.ExternalSecret) (providerData map[string][]byte, err error) {
 func (r *Reconciler) GetProviderSecretData(ctx context.Context, externalSecret *esv1.ExternalSecret) (providerData map[string][]byte, err error) {
 	// We MUST NOT create multiple instances of a provider client (mostly due to limitations with GCP)
 	// We MUST NOT create multiple instances of a provider client (mostly due to limitations with GCP)
 	// Clientmanager keeps track of the client instances
 	// Clientmanager keeps track of the client instances
@@ -103,7 +103,7 @@ func (r *Reconciler) GetProviderSecretData(ctx context.Context, externalSecret *
 			return nil, err
 			return nil, err
 		}
 		}
 
 
-		providerData = utils.MergeByteMap(providerData, secretMap)
+		providerData = esutils.MergeByteMap(providerData, secretMap)
 	}
 	}
 
 
 	for i, secretRef := range externalSecret.Spec.Data {
 	for i, secretRef := range externalSecret.Spec.Data {
@@ -133,7 +133,7 @@ func (r *Reconciler) handleSecretData(ctx context.Context, externalSecret *esv1.
 	}
 	}
 
 
 	// decode the secret if needed
 	// decode the secret if needed
-	secretData, err = utils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData)
+	secretData, err = esutils.Decode(secretRef.RemoteRef.DecodingStrategy, secretData)
 	if err != nil {
 	if err != nil {
 		return fmt.Errorf(errDecode, secretRef.RemoteRef.DecodingStrategy, err)
 		return fmt.Errorf(errDecode, secretRef.RemoteRef.DecodingStrategy, err)
 	}
 	}
@@ -178,13 +178,13 @@ func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string
 		generatorState.EnqueueSetLatest(ctx, generatorStateKey(i), namespace, generatorResource, impl, newState)
 		generatorState.EnqueueSetLatest(ctx, generatorStateKey(i), namespace, generatorResource, impl, newState)
 	}
 	}
 	// rewrite the keys if needed
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 	}
 
 
 	// validate the keys
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
 	}
@@ -212,25 +212,25 @@ func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *e
 	}
 	}
 
 
 	// rewrite the keys if needed
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 	}
 	if len(remoteRef.Rewrite) == 0 {
 	if len(remoteRef.Rewrite) == 0 {
-		secretMap, err = utils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap)
+		secretMap, err = esutils.ConvertKeys(remoteRef.Extract.ConversionStrategy, secretMap)
 		if err != nil {
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, remoteRef.Extract.ConversionStrategy, err)
 			return nil, fmt.Errorf(errConvert, remoteRef.Extract.ConversionStrategy, err)
 		}
 		}
 	}
 	}
 
 
 	// validate the keys
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
 	}
 
 
 	// decode the secrets if needed
 	// decode the secrets if needed
-	secretMap, err = utils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap)
+	secretMap, err = esutils.DecodeMap(remoteRef.Extract.DecodingStrategy, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errDecode, remoteRef.Extract.DecodingStrategy, err)
 		return nil, fmt.Errorf(errDecode, remoteRef.Extract.DecodingStrategy, err)
 	}
 	}
@@ -253,25 +253,25 @@ func (r *Reconciler) handleFindAllSecrets(ctx context.Context, externalSecret *e
 	}
 	}
 
 
 	// rewrite the keys if needed
 	// rewrite the keys if needed
-	secretMap, err = utils.RewriteMap(remoteRef.Rewrite, secretMap)
+	secretMap, err = esutils.RewriteMap(remoteRef.Rewrite, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errRewrite, err)
 		return nil, fmt.Errorf(errRewrite, err)
 	}
 	}
 	if len(remoteRef.Rewrite) == 0 {
 	if len(remoteRef.Rewrite) == 0 {
-		secretMap, err = utils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap)
+		secretMap, err = esutils.ConvertKeys(remoteRef.Find.ConversionStrategy, secretMap)
 		if err != nil {
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, remoteRef.Find.ConversionStrategy, err)
 			return nil, fmt.Errorf(errConvert, remoteRef.Find.ConversionStrategy, err)
 		}
 		}
 	}
 	}
 
 
 	// validate the keys
 	// validate the keys
-	err = utils.ValidateKeys(r.Log, secretMap)
+	err = esutils.ValidateKeys(r.Log, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errInvalidKeys, err)
 		return nil, fmt.Errorf(errInvalidKeys, err)
 	}
 	}
 
 
 	// decode the secrets if needed
 	// decode the secrets if needed
-	secretMap, err = utils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap)
+	secretMap, err = esutils.DecodeMap(remoteRef.Find.DecodingStrategy, secretMap)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf(errDecode, remoteRef.Find.DecodingStrategy, err)
 		return nil, fmt.Errorf(errDecode, remoteRef.Find.DecodingStrategy, err)
 	}
 	}

+ 6 - 6
pkg/controllers/externalsecret/externalsecret_controller_template.go

@@ -26,13 +26,13 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/template"
 	"github.com/external-secrets/external-secrets/pkg/template"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 )
 )
 
 
-// merge template in the following order:
+// ApplyTemplate merges templates in the following order:
 // * template.Data (highest precedence)
 // * template.Data (highest precedence)
 // * template.TemplateFrom
 // * template.TemplateFrom
 // * secret via es.data or es.dataFrom (if template.MergePolicy is Merge, or there is no template)
 // * secret via es.data or es.dataFrom (if template.MergePolicy is Merge, or there is no template)
@@ -137,14 +137,14 @@ func setMetadata(secret *v1.Secret, es *esv1.ExternalSecret) error {
 
 
 	// if no template is defined, copy labels and annotations from the ExternalSecret
 	// if no template is defined, copy labels and annotations from the ExternalSecret
 	if es.Spec.Target.Template == nil {
 	if es.Spec.Target.Template == nil {
-		utils.MergeStringMap(secret.ObjectMeta.Labels, es.ObjectMeta.Labels)
-		utils.MergeStringMap(secret.ObjectMeta.Annotations, es.ObjectMeta.Annotations)
+		esutils.MergeStringMap(secret.ObjectMeta.Labels, es.ObjectMeta.Labels)
+		esutils.MergeStringMap(secret.ObjectMeta.Annotations, es.ObjectMeta.Annotations)
 		return nil
 		return nil
 	}
 	}
 
 
 	// copy labels and annotations from the template
 	// copy labels and annotations from the template
-	utils.MergeStringMap(secret.ObjectMeta.Labels, es.Spec.Target.Template.Metadata.Labels)
-	utils.MergeStringMap(secret.ObjectMeta.Annotations, es.Spec.Target.Template.Metadata.Annotations)
+	esutils.MergeStringMap(secret.ObjectMeta.Labels, es.Spec.Target.Template.Metadata.Labels)
+	esutils.MergeStringMap(secret.ObjectMeta.Annotations, es.Spec.Target.Template.Metadata.Annotations)
 
 
 	// add finalizers from the template
 	// add finalizers from the template
 	if secret.ObjectMeta.DeletionTimestamp.IsZero() {
 	if secret.ObjectMeta.DeletionTimestamp.IsZero() {

+ 81 - 80
pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -44,8 +44,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega"
@@ -162,7 +162,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 						esv1.LabelManaged: esv1.LabelManagedValue,
 						esv1.LabelManaged: esv1.LabelManagedValue,
 					},
 					},
 					Annotations: map[string]string{
 					Annotations: map[string]string{
-						esv1.AnnotationDataHash: utils.ObjectHash(validData),
+						esv1.AnnotationDataHash: esutils.ObjectHash(validData),
 					},
 					},
 				},
 				},
 				Data: validData,
 				Data: validData,
@@ -286,7 +286,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				}
 				}
 				return true
 				return true
 			},
 			},
-			checkExternalSecret: func(es *esv1.ExternalSecret) {
+			checkExternalSecret: func(_ *esv1.ExternalSecret) {
 				// noop by default
 				// noop by default
 			},
 			},
 			secretStore: &esv1.SecretStore{
 			secretStore: &esv1.SecretStore{
@@ -343,7 +343,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	syncBigNames := func(tc *testCase) {
 	syncBigNames := func(tc *testCase) {
 		tc.targetSecretName = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
 		tc.targetSecretName = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
 		tc.externalSecret.Spec.Target.Name = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
 		tc.externalSecret.Spec.Target.Name = "this-is-a-very-big-secret-name-that-wouldnt-be-generated-due-to-label-limits"
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1.ExternalSecret, _ *v1.Secret) {
 			// check binding secret on external secret
 			// check binding secret on external secret
 			Expect(es.Status.Binding.Name).To(Equal(tc.externalSecret.Spec.Target.Name))
 			Expect(es.Status.Binding.Name).To(Equal(tc.externalSecret.Spec.Target.Name))
 		}
 		}
@@ -376,7 +376,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
 
 
@@ -409,7 +409,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
@@ -439,7 +439,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}, client.FieldOwner(ExternalSecretFQDN))).To(Succeed())
 		}, client.FieldOwner(ExternalSecretFQDN))).To(Succeed())
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).To(HaveKeyWithValue(labelKey, labelValue))
 			Expect(secret.ObjectMeta.Labels).NotTo(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Labels).NotTo(HaveKeyWithValue(existingLabelKey, existingLabelValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
 			Expect(secret.ObjectMeta.Annotations).To(HaveKeyWithValue(annotationKey, annotationValue))
@@ -450,7 +450,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	checkPrometheusCounters := func(tc *testCase) {
 	checkPrometheusCounters := func(tc *testCase) {
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, _ *v1.Secret) {
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
 			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
 			Eventually(func() bool {
 			Eventually(func() bool {
@@ -493,7 +493,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -538,7 +538,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// Overwrite the secret value to check if the change kicks reconciliation and overwrites it again
 			// Overwrite the secret value to check if the change kicks reconciliation and overwrites it again
 			Expect(k8sClient.Update(context.Background(), &v1.Secret{
 			Expect(k8sClient.Update(context.Background(), &v1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 				ObjectMeta: metav1.ObjectMeta{
@@ -570,7 +570,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			oldResourceVersion := secret.ResourceVersion
 			oldResourceVersion := secret.ResourceVersion
 
 
 			cleanSecret := secret.DeepCopy()
 			cleanSecret := secret.DeepCopy()
@@ -617,7 +617,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			}
 			return true
 			return true
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -647,7 +647,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check that value stays the same
 			// check that value stays the same
 			Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
 			Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
 
 
@@ -694,7 +694,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 		}
 		}
@@ -733,7 +733,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 			Expect(string(secret.Data[secretKey])).To(Equal(secretVal))
 		}
 		}
@@ -769,7 +769,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		}
 	}
 	}
 
 
-	ignoreMismatchControllerForGeneratorRef := func(tc *testCase) {
+	ignoreMismatchControllerForGeneratorRef := func(_ *testCase) {
 		const secretKey = "somekey"
 		const secretKey = "somekey"
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 
 
@@ -862,7 +862,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("bar"))
 			Expect(string(secret.Data["foo"])).To(Equal("bar"))
 			Expect(string(secret.Data["foo2"])).To(Equal("bar2"))
 			Expect(string(secret.Data["foo2"])).To(Equal("bar2"))
@@ -934,7 +934,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 		}
 		}
@@ -1019,7 +1019,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetProperty": []byte(FooValue),
 			"targetProperty": []byte(FooValue),
 			"bar":            []byte(BarValue),
 			"bar":            []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -1092,7 +1092,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetKey":   []byte(FooValue),
 			"targetKey":   []byte(FooValue),
 			"targetValue": []byte(BarValue),
 			"targetValue": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["map-foo-value-cm"])).To(Equal(BarValue))
 			Expect(string(secret.Data["map-foo-value-cm"])).To(Equal(BarValue))
 			Expect(string(secret.Data["map-foo-value-sec"])).To(Equal(BarValue))
 			Expect(string(secret.Data["map-foo-value-sec"])).To(Equal(BarValue))
@@ -1140,7 +1140,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"targetValue": []byte(BarValue),
 			"targetValue": []byte(BarValue),
 			"complex":     []byte("{\"nested\":\"json\",\"can\":\"be\",\"templated\":\"successfully\"}"),
 			"complex":     []byte("{\"nested\":\"json\",\"can\":\"be\",\"templated\":\"successfully\"}"),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["map-foo-value-literal"])).To(Equal(BarValue))
 			Expect(string(secret.Data["map-foo-value-literal"])).To(Equal(BarValue))
 			Expect(string(secret.Data["nested"])).To(Equal("json"))
 			Expect(string(secret.Data["nested"])).To(Equal("json"))
@@ -1261,7 +1261,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
 
@@ -1300,7 +1300,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -1342,7 +1342,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -1372,7 +1372,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
 
@@ -1412,7 +1412,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		}
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyDelete
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyDelete
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 
 
 			// update provider secret
 			// update provider secret
@@ -1459,7 +1459,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		}
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyRetain
 		tc.externalSecret.Spec.Target.DeletionPolicy = esv1.DeletionPolicyRetain
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 			Expect(secret.Data["foo"]).To(Equal(expVal))
 
 
 			sec := &v1.Secret{}
 			sec := &v1.Secret{}
@@ -1540,7 +1540,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -1572,7 +1572,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		tc.externalSecret.Spec.Target.CreationPolicy = esv1.CreatePolicyOrphan
 		tc.externalSecret.Spec.Target.CreationPolicy = esv1.CreatePolicyOrphan
 
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			// check value
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
 
@@ -1623,7 +1623,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 			"bar": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
@@ -1666,7 +1666,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			}
 			return true
 			return true
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1715,7 +1715,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			}
 			return true
 			return true
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1742,7 +1742,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 			"bar": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@@ -1773,7 +1773,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 			"bar": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
 			Expect(string(secret.Data["new-bar"])).To(Equal(BarValue))
@@ -1797,7 +1797,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"foo": []byte(FooValue),
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 			"bar": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@@ -1826,7 +1826,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			"tls.crt": []byte(FooValue),
 			"tls.crt": []byte(FooValue),
 			"tls.key": []byte(BarValue),
 			"tls.key": []byte(BarValue),
 		}, nil)
 		}, nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
 			Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
 			// check values
 			// check values
 			Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
 			Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
@@ -1885,7 +1885,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			}
 			return true
 			return true
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1911,7 +1911,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			}
 			}
 			return true
 			return true
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testSyncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
 				Expect(testExternalSecretReconcileDuration.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metricDuration)).To(Succeed())
@@ -1930,7 +1930,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			cond := GetExternalSecretCondition(es.Status, esv1.ExternalSecretReady)
 			cond := GetExternalSecretCondition(es.Status, esv1.ExternalSecretReady)
 			return cond == nil
 			return cond == nil
 		}
 		}
-		tc.checkExternalSecret = func(es *esv1.ExternalSecret) {
+		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			// Condition True and False should be 0, since the Condition was not created
 			// Condition True and False should be 0, since the Condition was not created
 			Eventually(func() float64 {
 			Eventually(func() float64 {
 				Expect(testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
 				Expect(testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
@@ -1969,7 +1969,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 
 
 			// check values
 			// check values
 			oldUID := secret.UID
 			oldUID := secret.UID
@@ -1998,8 +1998,8 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 	checkSecretDataHashAnnotation := func(tc *testCase) {
 	checkSecretDataHashAnnotation := func(tc *testCase) {
 		const secretVal = "someValue"
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
-			expectedHash := utils.ObjectHash(map[string][]byte{
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
+			expectedHash := esutils.ObjectHash(map[string][]byte{
 				targetProp: []byte(secretVal),
 				targetProp: []byte(secretVal),
 			})
 			})
 			Expect(secret.Annotations[esv1.AnnotationDataHash]).To(Equal(expectedHash))
 			Expect(secret.Annotations[esv1.AnnotationDataHash]).To(Equal(expectedHash))
@@ -2023,8 +2023,8 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
-			expectedHash := utils.ObjectHash(map[string][]byte{
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
+			expectedHash := esutils.ObjectHash(map[string][]byte{
 				existingKey: []byte(existingVal),
 				existingKey: []byte(existingVal),
 				targetProp:  []byte(secretVal),
 				targetProp:  []byte(secretVal),
 			})
 			})
@@ -2039,7 +2039,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 		}
 		fakeProvider.WithGetSecretMap(fakeData, nil)
 		fakeProvider.WithGetSecretMap(fakeData, nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			oldHash := secret.Annotations[esv1.AnnotationDataHash]
 			oldHash := secret.Annotations[esv1.AnnotationDataHash]
 			oldResourceVersion := secret.ResourceVersion
 			oldResourceVersion := secret.ResourceVersion
 			Expect(oldHash).NotTo(BeEmpty())
 			Expect(oldHash).NotTo(BeEmpty())
@@ -2094,9 +2094,9 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				if err != nil {
 				if err != nil {
 					return false
 					return false
 				}
 				}
-				_, ok := refreshedSecret.Data["key"]
-				return !ok && bytes.Equal(refreshedSecret.Data["new"], []byte("foo"))
-			}, timeout, interval).Should(BeTrue())
+				// ensure new data value exist
+				return string(refreshedSecret.Data["new"]) == "foo"
+			}, time.Second*10, time.Millisecond*200).Should(BeTrue())
 		}
 		}
 	}
 	}
 	// When we update the template, remaining keys should not be preserved
 	// When we update the template, remaining keys should not be preserved
@@ -2110,7 +2110,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 				"key": `{{.targetProperty}}-foo`,
 				"key": `{{.targetProperty}}-foo`,
 			},
 			},
 		}
 		}
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Data["key"]).To(Equal([]byte("someValue-foo")))
 			Expect(secret.Data["key"]).To(Equal([]byte("someValue-foo")))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
@@ -2134,7 +2134,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 
 
 	// Secret is created when ClusterSecretStore has no conditions
 	// Secret is created when ClusterSecretStore has no conditions
 	noConditionsSecretCreated := func(tc *testCase) {
 	noConditionsSecretCreated := func(tc *testCase) {
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2201,7 +2201,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2213,7 +2213,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2243,7 +2243,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2276,7 +2276,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2292,7 +2292,7 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			},
 			},
 		}
 		}
 
 
-		tc.checkSecret = func(es *esv1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(_ *esv1.ExternalSecret, secret *v1.Secret) {
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 		}
 		}
 	}
 	}
@@ -2453,7 +2453,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 					RefreshTime: metav1.Now(),
 				},
 				},
 			}
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			// this should not refresh, rv matches object
 			// this should not refresh, rv matches object
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
@@ -2477,7 +2477,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 					RefreshTime: metav1.Now(),
 				},
 				},
 			}
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			// this should not refresh, rv matches object
 			// this should not refresh, rv matches object
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
@@ -2498,7 +2498,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					RefreshTime: metav1.Now(),
 					RefreshTime: metav1.Now(),
 				},
 				},
 			}
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
 			// update gen -> refresh
 			// update gen -> refresh
@@ -2517,7 +2517,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				Status: esv1.ExternalSecretStatus{},
 				Status: esv1.ExternalSecretStatus{},
 			}
 			}
 			// resource version matches
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 		})
 
 
@@ -2534,7 +2534,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				},
 				},
 			}
 			}
 			// resource version matches
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 		})
 
 
@@ -2549,20 +2549,20 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 				Status: esv1.ExternalSecretStatus{},
 				Status: esv1.ExternalSecretStatus{},
 			}
 			}
 			// resource version matches
 			// resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 		})
 
 
 	})
 	})
 	Context("objectmeta hash", func() {
 	Context("objectmeta hash", func() {
 		It("should produce different hashes for different k/v pairs", func() {
 		It("should produce different hashes for different k/v pairs", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bar",
 					"foo": "bar",
 				},
 				},
 			})
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bing",
 					"foo": "bing",
@@ -2572,7 +2572,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 		})
 
 
 		It("should produce different hashes for different generations but same label/annotations", func() {
 		It("should produce different hashes for different generations but same label/annotations", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bar",
 					"foo": "bar",
@@ -2581,7 +2581,7 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 					"foo": "bar",
 					"foo": "bar",
 				},
 				},
 			})
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 2,
 				Generation: 2,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bar",
 					"foo": "bar",
@@ -2594,21 +2594,21 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 		})
 
 
 		It("should produce the same hash for the same k/v pairs", func() {
 		It("should produce the same hash for the same k/v pairs", func() {
-			h1 := util.HashMeta(metav1.ObjectMeta{
+			h1 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 			})
 			})
-			h2 := util.HashMeta(metav1.ObjectMeta{
+			h2 := ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 			})
 			})
 			Expect(h1).To(Equal(h2))
 			Expect(h1).To(Equal(h2))
 
 
-			h1 = util.HashMeta(metav1.ObjectMeta{
+			h1 = ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bar",
 					"foo": "bar",
 				},
 				},
 			})
 			})
-			h2 = util.HashMeta(metav1.ObjectMeta{
+			h2 = ctrlutil.HashMeta(metav1.ObjectMeta{
 				Generation: 1,
 				Generation: 1,
 				Annotations: map[string]string{
 				Annotations: map[string]string{
 					"foo": "bar",
 					"foo": "bar",
@@ -2718,7 +2718,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 		})
 
 
@@ -2738,7 +2738,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
 			es.Annotations["foo"] = "bar1"
 			es.Annotations["foo"] = "bar1"
@@ -2766,7 +2766,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 
 
 			// Initially should not refresh
 			// Initially should not refresh
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
@@ -2799,7 +2799,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 					RefreshTime: metav1.Now(),
 					RefreshTime: metav1.Now(),
 				},
 				},
 			}
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
 			// When refresh interval has passed
 			// When refresh interval has passed
@@ -2823,7 +2823,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 		})
 		})
 
 
@@ -2858,7 +2858,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Resource version matches
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 		})
 
 
@@ -2874,7 +2874,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				Status: esv1.ExternalSecretStatus{},
 				Status: esv1.ExternalSecretStatus{},
 			}
 			}
 			// Resource version matches
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 		})
 
 
@@ -2892,7 +2892,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Resource version matches
 			// Resource version matches
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeTrue())
 			Expect(shouldRefresh(es)).To(BeTrue())
 		})
 		})
 
 
@@ -2918,9 +2918,10 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 					RefreshTime:           metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
 					RefreshTime:           metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
 				},
 				},
 			}
 			}
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
+			// Update the spec by adding a new data item
 			es.ObjectMeta.Generation = 2
 			es.ObjectMeta.Generation = 2
 			es.Spec.Data = append(es.Spec.Data, esv1.ExternalSecretData{
 			es.Spec.Data = append(es.Spec.Data, esv1.ExternalSecretData{
 				SecretKey: "key2",
 				SecretKey: "key2",
@@ -2955,7 +2956,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
 			// Update the spec by adding a new data item
 			// Update the spec by adding a new data item
@@ -2992,7 +2993,7 @@ var _ = Describe("ExternalSecret refresh policy", func() {
 				},
 				},
 			}
 			}
 			// Set the synced resource version to match the current resource version
 			// Set the synced resource version to match the current resource version
-			es.Status.SyncedResourceVersion = util.GetResourceVersion(es.ObjectMeta)
+			es.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(es.ObjectMeta)
 			Expect(shouldRefresh(es)).To(BeFalse())
 			Expect(shouldRefresh(es)).To(BeFalse())
 
 
 			// Update labels and annotations
 			// Update labels and annotations

+ 7 - 0
pkg/controllers/generatorstate/generatorstate_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package generatorstate implements controllers for managing GeneratorState resources
 package generatorstate
 package generatorstate
 
 
 import (
 import (
@@ -36,6 +37,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Reconciler reconciles a GeneratorState object, managing its lifecycle and cleanup.
 type Reconciler struct {
 type Reconciler struct {
 	client.Client
 	client.Client
 
 
@@ -47,6 +49,11 @@ type Reconciler struct {
 
 
 const generatorStateFinalizer = "generatorstate.externalsecrets.io/finalizer"
 const generatorStateFinalizer = "generatorstate.externalsecrets.io/finalizer"
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	generatorState := &genv1alpha1.GeneratorState{}
 	generatorState := &genv1alpha1.GeneratorState{}
 	err = r.Get(ctx, req.NamespacedName, generatorState)
 	err = r.Get(ctx, req.NamespacedName, generatorState)

+ 3 - 4
pkg/controllers/generatorstate/util.go

@@ -23,7 +23,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
-// NewgeneratorstateCondition a set of default options for creating an GeneratorState Condition.
+// NewGeneratorStateCondition a set of default options for creating an GeneratorState Condition.
 func NewGeneratorStateCondition(condType genv1alpha1.GeneratorStateConditionType, status v1.ConditionStatus, reason, message string) *genv1alpha1.GeneratorStateStatusCondition {
 func NewGeneratorStateCondition(condType genv1alpha1.GeneratorStateConditionType, status v1.ConditionStatus, reason, message string) *genv1alpha1.GeneratorStateStatusCondition {
 	return &genv1alpha1.GeneratorStateStatusCondition{
 	return &genv1alpha1.GeneratorStateStatusCondition{
 		Type:               condType,
 		Type:               condType,
@@ -34,7 +34,7 @@ func NewGeneratorStateCondition(condType genv1alpha1.GeneratorStateConditionType
 	}
 	}
 }
 }
 
 
-// GetgeneratorstateCondition returns the condition with the provided type.
+// GetGeneratorStateCondition returns the condition with the provided type.
 func GetGeneratorStateCondition(status genv1alpha1.GeneratorStateStatus, condType genv1alpha1.GeneratorStateConditionType) *genv1alpha1.GeneratorStateStatusCondition {
 func GetGeneratorStateCondition(status genv1alpha1.GeneratorStateStatus, condType genv1alpha1.GeneratorStateConditionType) *genv1alpha1.GeneratorStateStatusCondition {
 	for _, c := range status.Conditions {
 	for _, c := range status.Conditions {
 		if c.Type == condType {
 		if c.Type == condType {
@@ -44,8 +44,7 @@ func GetGeneratorStateCondition(status genv1alpha1.GeneratorStateStatus, condTyp
 	return nil
 	return nil
 }
 }
 
 
-// SetGeneratorStateCondition updates the GeneratorState to include the provided
-// condition.
+// SetGeneratorStateCondition updates the GeneratorState to include the provided condition.
 func SetGeneratorStateCondition(gs *genv1alpha1.GeneratorState, condition genv1alpha1.GeneratorStateStatusCondition) {
 func SetGeneratorStateCondition(gs *genv1alpha1.GeneratorState, condition genv1alpha1.GeneratorStateStatusCondition) {
 	currentCond := GetGeneratorStateCondition(gs.Status, condition.Type)
 	currentCond := GetGeneratorStateCondition(gs.Status, condition.Type)
 
 

+ 7 - 0
pkg/controllers/metrics/labels.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package metrics provides utilities for metrics used by controllers.
 package metrics
 package metrics
 
 
 import (
 import (
@@ -23,12 +24,16 @@ import (
 )
 )
 
 
 var (
 var (
+	// NonConditionMetricLabelNames are the label names used for non-conditional metrics.
 	NonConditionMetricLabelNames = make([]string, 0)
 	NonConditionMetricLabelNames = make([]string, 0)
 
 
+	// ConditionMetricLabelNames are the label names used for conditional metrics.
 	ConditionMetricLabelNames = make([]string, 0)
 	ConditionMetricLabelNames = make([]string, 0)
 
 
+	// NonConditionMetricLabels holds the actual label values for non-conditional metrics.
 	NonConditionMetricLabels = make(map[string]string)
 	NonConditionMetricLabels = make(map[string]string)
 
 
+	// ConditionMetricLabels holds the actual label values for conditional metrics.
 	ConditionMetricLabels = make(map[string]string)
 	ConditionMetricLabels = make(map[string]string)
 )
 )
 
 
@@ -94,10 +99,12 @@ func RefineLabels(promLabels prometheus.Labels, newLabels map[string]string) pro
 	return refinement
 	return refinement
 }
 }
 
 
+// RefineNonConditionMetricLabels refines the non-conditional metric labels with the given labels.
 func RefineNonConditionMetricLabels(labels map[string]string) prometheus.Labels {
 func RefineNonConditionMetricLabels(labels map[string]string) prometheus.Labels {
 	return RefineLabels(NonConditionMetricLabels, labels)
 	return RefineLabels(NonConditionMetricLabels, labels)
 }
 }
 
 
+// RefineConditionMetricLabels refines the conditional metric labels with the given labels.
 func RefineConditionMetricLabels(labels map[string]string) prometheus.Labels {
 func RefineConditionMetricLabels(labels map[string]string) prometheus.Labels {
 	return RefineLabels(ConditionMetricLabels, labels)
 	return RefineLabels(ConditionMetricLabels, labels)
 }
 }

+ 10 - 2
pkg/controllers/pushsecret/psmetrics/psmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package psmetrics provides metrics for PushSecret controller.
 package psmetrics
 package psmetrics
 
 
 import (
 import (
@@ -26,9 +27,14 @@ import (
 )
 )
 
 
 const (
 const (
-	PushSecretSubsystem            = "pushsecret"
+	// PushSecretSubsystem is the subsystem name for PushSecret metrics.
+	PushSecretSubsystem = "pushsecret"
+
+	// PushSecretReconcileDurationKey is the key for the reconcile duration metric.
 	PushSecretReconcileDurationKey = "reconcile_duration"
 	PushSecretReconcileDurationKey = "reconcile_duration"
-	PushSecretStatusConditionKey   = "status_condition"
+
+	// PushSecretStatusConditionKey is the key for the status condition metric.
+	PushSecretStatusConditionKey = "status_condition"
 )
 )
 
 
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
 var gaugeVecMetrics = map[string]*prometheus.GaugeVec{}
@@ -56,6 +62,7 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// UpdatePushSecretCondition updates the condition metrics for a PushSecret.
 func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecretStatusCondition, value float64) {
 func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecretStatusCondition, value float64) {
 	psInfo := make(map[string]string)
 	psInfo := make(map[string]string)
 	psInfo["name"] = ps.Name
 	psInfo["name"] = ps.Name
@@ -99,6 +106,7 @@ func UpdatePushSecretCondition(ps *esapi.PushSecret, condition *esapi.PushSecret
 		})).Set(value)
 		})).Set(value)
 }
 }
 
 
+// GetGaugeVec returns a GaugeVec for the given metric key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }

+ 31 - 6
pkg/controllers/pushsecret/pushsecret_controller.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package pushsecret implements the controller for managing PushSecret resources.
 package pushsecret
 package pushsecret
 
 
 import (
 import (
@@ -44,11 +45,12 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
 	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
 	"github.com/external-secrets/external-secrets/pkg/generator/statemanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/util/locks"
 	"github.com/external-secrets/external-secrets/pkg/provider/util/locks"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 
 
+	// Load registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/register"
 )
 )
 
 
@@ -64,6 +66,9 @@ const (
 	errCloudNotUpdateFinalizer = "could not update finalizers: %w"
 	errCloudNotUpdateFinalizer = "could not update finalizers: %w"
 )
 )
 
 
+// Reconciler is the controller for PushSecret resources.
+// It manages the lifecycle of PushSecrets, ensuring that secrets are pushed to
+// specified secret stores according to the defined policies and templates.
 type Reconciler struct {
 type Reconciler struct {
 	client.Client
 	client.Client
 	Log             logr.Logger
 	Log             logr.Logger
@@ -74,6 +79,9 @@ type Reconciler struct {
 	ControllerClass string
 	ControllerClass string
 }
 }
 
 
+// SetupWithManager sets up the controller with the Manager.
+// It configures the controller to watch PushSecret resources and
+// manages indexing for efficient lookups based on secret stores and deletion policies.
 func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts controller.Options) error {
 func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("pushsecret")
 	r.recorder = mgr.GetEventRecorderFor("pushsecret")
 
 
@@ -111,6 +119,10 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opt
 		Complete(r)
 		Complete(r)
 }
 }
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("pushsecret", req.NamespacedName)
 	log := r.Log.WithValues("pushsecret", req.NamespacedName)
 
 
@@ -191,7 +203,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}
 	}
 	if !shouldRefresh(ps) {
 	if !shouldRefresh(ps) {
 		refreshInt = (ps.Spec.RefreshInterval.Duration - timeSinceLastRefresh) + 5*time.Second
 		refreshInt = (ps.Spec.RefreshInterval.Duration - timeSinceLastRefresh) + 5*time.Second
-		log.V(1).Info("skipping refresh", "rv", util.GetResourceVersion(ps.ObjectMeta), "nr", refreshInt.Seconds())
+		log.V(1).Info("skipping refresh", "rv", ctrlutil.GetResourceVersion(ps.ObjectMeta), "nr", refreshInt.Seconds())
 		return ctrl.Result{RequeueAfter: refreshInt}, nil
 		return ctrl.Result{RequeueAfter: refreshInt}, nil
 	}
 	}
 
 
@@ -269,7 +281,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 }
 }
 
 
 func shouldRefresh(ps esapi.PushSecret) bool {
 func shouldRefresh(ps esapi.PushSecret) bool {
-	if ps.Status.SyncedResourceVersion != util.GetResourceVersion(ps.ObjectMeta) {
+	if ps.Status.SyncedResourceVersion != ctrlutil.GetResourceVersion(ps.ObjectMeta) {
 		return true
 		return true
 	}
 	}
 	if ps.Spec.RefreshInterval.Duration == 0 && ps.Status.SyncedResourceVersion != "" {
 	if ps.Spec.RefreshInterval.Duration == 0 && ps.Status.SyncedResourceVersion != "" {
@@ -299,7 +311,7 @@ func (r *Reconciler) markAsDone(ps *esapi.PushSecret, secrets esapi.SyncedPushSe
 	SetPushSecretCondition(ps, *cond)
 	SetPushSecretCondition(ps, *cond)
 	r.setSecrets(ps, secrets)
 	r.setSecrets(ps, secrets)
 	ps.Status.RefreshTime = metav1.NewTime(start)
 	ps.Status.RefreshTime = metav1.NewTime(start)
-	ps.Status.SyncedResourceVersion = util.GetResourceVersion(ps.ObjectMeta)
+	ps.Status.SyncedResourceVersion = ctrlutil.GetResourceVersion(ps.ObjectMeta)
 	r.recorder.Event(ps, v1.EventTypeNormal, esapi.ReasonSynced, msg)
 	r.recorder.Event(ps, v1.EventTypeNormal, esapi.ReasonSynced, msg)
 }
 }
 
 
@@ -323,6 +335,9 @@ func mergeSecretState(newMap, old esapi.SyncedPushSecretsMap) esapi.SyncedPushSe
 	return out
 	return out
 }
 }
 
 
+// DeleteSecretFromProviders removes secrets from providers that are no longer needed.
+// It compares the existing synced secrets in the PushSecret status with the new desired state,
+// and deletes any secrets that are no longer present in the new state.
 func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 	out := mergeSecretState(newMap, ps.Status.SyncedPushSecrets)
 	out := mergeSecretState(newMap, ps.Status.SyncedPushSecrets)
 	for storeName, oldData := range ps.Status.SyncedPushSecrets {
 	for storeName, oldData := range ps.Status.SyncedPushSecrets {
@@ -357,6 +372,7 @@ func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.Pu
 	return out, nil
 	return out, nil
 }
 }
 
 
+// DeleteAllSecretsFromStore removes all secrets from a given secret store.
 func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.SecretsClient, data map[string]esapi.PushSecretData) error {
 func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.SecretsClient, data map[string]esapi.PushSecretData) error {
 	for _, v := range data {
 	for _, v := range data {
 		err := r.DeleteSecretFromStore(ctx, client, v)
 		err := r.DeleteSecretFromStore(ctx, client, v)
@@ -367,10 +383,14 @@ func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client esv1.
 	return nil
 	return nil
 }
 }
 
 
+// DeleteSecretFromStore removes a specific secret from a given secret store.
 func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client esv1.SecretsClient, data esapi.PushSecretData) error {
 func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client esv1.SecretsClient, data esapi.PushSecretData) error {
 	return client.DeleteSecret(ctx, data.Match.RemoteRef)
 	return client.DeleteSecret(ctx, data.Match.RemoteRef)
 }
 }
 
 
+// PushSecretToProviders pushes the secret data to the specified secret stores.
+// It iterates over each store and handles the push operation according to the
+// defined update policies and conversion strategies.
 func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]esv1.GenericStore, ps esapi.PushSecret, secret *v1.Secret, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]esv1.GenericStore, ps esapi.PushSecret, secret *v1.Secret, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
 	out := make(esapi.SyncedPushSecretsMap)
 	out := make(esapi.SyncedPushSecretsMap)
 	for ref, store := range stores {
 	for ref, store := range stores {
@@ -395,7 +415,7 @@ func (r *Reconciler) handlePushSecretDataForStore(ctx context.Context, ps esapi.
 		return out, fmt.Errorf("could not get secrets client for store %v: %w", storeName, err)
 		return out, fmt.Errorf("could not get secrets client for store %v: %w", storeName, err)
 	}
 	}
 	for _, data := range ps.Spec.Data {
 	for _, data := range ps.Spec.Data {
-		secretData, err := utils.ReverseKeys(data.ConversionStrategy, originalSecretData)
+		secretData, err := esutils.ReverseKeys(data.ConversionStrategy, originalSecretData)
 		if err != nil {
 		if err != nil {
 			return nil, fmt.Errorf(errConvert, err)
 			return nil, fmt.Errorf(errConvert, err)
 		}
 		}
@@ -513,6 +533,9 @@ func (r *Reconciler) resolveSecretFromGenerator(ctx context.Context, namespace s
 	}, err
 	}, err
 }
 }
 
 
+// GetSecretStores retrieves the SecretStore and ClusterSecretStore resources
+// referenced in the PushSecret. It supports both direct references by name
+// and label selectors to find multiple stores.
 func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]esv1.GenericStore, error) {
 func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]esv1.GenericStore, error) {
 	stores := make(map[esapi.PushSecretStoreRef]esv1.GenericStore)
 	stores := make(map[esapi.PushSecretStoreRef]esv1.GenericStore)
 	for _, refStore := range ps.Spec.SecretStoreRefs {
 	for _, refStore := range ps.Spec.SecretStoreRefs {
@@ -583,6 +606,7 @@ func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.
 	return &store, nil
 	return &store, nil
 }
 }
 
 
+// NewPushSecretCondition creates a new PushSecret condition.
 func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.ConditionStatus, reason, message string) *esapi.PushSecretStatusCondition {
 func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.ConditionStatus, reason, message string) *esapi.PushSecretStatusCondition {
 	return &esapi.PushSecretStatusCondition{
 	return &esapi.PushSecretStatusCondition{
 		Type:               condType,
 		Type:               condType,
@@ -593,6 +617,7 @@ func NewPushSecretCondition(condType esapi.PushSecretConditionType, status v1.Co
 	}
 	}
 }
 }
 
 
+// SetPushSecretCondition updates the PushSecret to include the provided condition.
 func SetPushSecretCondition(ps *esapi.PushSecret, condition esapi.PushSecretStatusCondition) {
 func SetPushSecretCondition(ps *esapi.PushSecret, condition esapi.PushSecretStatusCondition) {
 	currentCond := GetPushSecretCondition(ps.Status.Conditions, condition.Type)
 	currentCond := GetPushSecretCondition(ps.Status.Conditions, condition.Type)
 	if currentCond != nil && currentCond.Status == condition.Status &&
 	if currentCond != nil && currentCond.Status == condition.Status &&

+ 3 - 3
pkg/controllers/pushsecret/pushsecret_controller_template.go

@@ -26,8 +26,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/template"
 	"github.com/external-secrets/external-secrets/pkg/template"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 
 
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register" // Loading registered providers.
 )
 )
@@ -106,8 +106,8 @@ func setMetadata(secret *v1.Secret, ps *v1alpha1.PushSecret) error {
 	}
 	}
 
 
 	secret.Type = ps.Spec.Template.Type
 	secret.Type = ps.Spec.Template.Type
-	utils.MergeStringMap(secret.ObjectMeta.Labels, ps.Spec.Template.Metadata.Labels)
-	utils.MergeStringMap(secret.ObjectMeta.Annotations, ps.Spec.Template.Metadata.Annotations)
+	esutils.MergeStringMap(secret.ObjectMeta.Labels, ps.Spec.Template.Metadata.Labels)
+	esutils.MergeStringMap(secret.ObjectMeta.Annotations, ps.Spec.Template.Metadata.Annotations)
 
 
 	return nil
 	return nil
 }
 }

+ 23 - 23
pkg/controllers/pushsecret/pushsecret_controller_test.go

@@ -249,7 +249,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 			return nil
 		}
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
 			return ok, nil
@@ -279,7 +279,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 			return nil
 		}
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
 			return ok, nil
@@ -322,7 +322,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 			return nil
 		}
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			_, ok := setSecretArgs[ref.GetRemoteKey()]
 			return ok, nil
 			return ok, nil
@@ -373,12 +373,12 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 		fakeProvider.SetSecretFn = func() error {
 			return nil
 			return nil
 		}
 		}
-		fakeProvider.SecretExistsFn = func(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+		fakeProvider.SecretExistsFn = func(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 			return false, errors.New("don't know")
 			return false, errors.New("don't know")
 		}
 		}
 		tc.pushsecret.Spec.UpdatePolicy = v1alpha1.PushSecretUpdatePolicyIfNotExists
 		tc.pushsecret.Spec.UpdatePolicy = v1alpha1.PushSecretUpdatePolicyIfNotExists
 
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				By("checking if sync failed if secret existence cannot be verified in Provider")
 				By("checking if sync failed if secret existence cannot be verified in Provider")
 				expected := v1alpha1.PushSecretStatusCondition{
 				expected := v1alpha1.PushSecretStatusCondition{
@@ -442,7 +442,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 				},
 			},
 			},
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				By("checking if Provider value got updated")
 				By("checking if Provider value got updated")
 				setSecretArgs := fakeProvider.GetPushSecretData()
 				setSecretArgs := fakeProvider.GetPushSecretData()
@@ -506,7 +506,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 				},
 			},
 			},
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				By("checking if Provider value got updated")
 				By("checking if Provider value got updated")
 				setSecretArgs := fakeProvider.GetPushSecretData()
 				setSecretArgs := fakeProvider.GetPushSecretData()
@@ -556,7 +556,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 				},
 			},
 			},
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			updatedPS := &v1alpha1.PushSecret{}
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -612,7 +612,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 				},
 			},
 			},
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyNone
 			ps.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyNone
 			updatedPS := &v1alpha1.PushSecret{}
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -667,7 +667,7 @@ var _ = Describe("PushSecret controller", func() {
 				},
 				},
 			},
 			},
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			ps.Spec.Data[0].Match.RemoteRef.RemoteKey = newKey
 			updatedPS := &v1alpha1.PushSecret{}
 			updatedPS := &v1alpha1.PushSecret{}
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
 			Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
@@ -696,7 +696,7 @@ var _ = Describe("PushSecret controller", func() {
 			return errors.New("boom")
 			return errors.New("boom")
 		}
 		}
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			secondStore := &esv1.SecretStore{
 			secondStore := &esv1.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "new-store",
 					Name:      "new-store",
@@ -738,7 +738,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 			return nil
 		}
 		}
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
 		tc.pushsecret.Spec.DeletionPolicy = v1alpha1.PushSecretDeletionPolicyDelete
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			secondStore := &esv1.SecretStore{
 			secondStore := &esv1.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "new-store",
 					Name:      "new-store",
@@ -956,7 +956,7 @@ var _ = Describe("PushSecret controller", func() {
 			Kind:       "Fake",
 			Kind:       "Fake",
 			Name:       "test",
 			Name:       "test",
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			setSecretArgs := fakeProvider.GetPushSecretData()
 			providerValue := setSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
 			providerValue := setSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
@@ -1041,7 +1041,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 			return nil
 		}
 		}
 		tc.secret = nil
 		tc.secret = nil
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1057,7 +1057,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 			return nil
 		}
 		}
 		tc.pushsecret.Spec.Data[0].Match.SecretKey = "unexisting"
 		tc.pushsecret.Spec.Data[0].Match.SecretKey = "unexisting"
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1073,7 +1073,7 @@ var _ = Describe("PushSecret controller", func() {
 			return nil
 			return nil
 		}
 		}
 		tc.store = nil
 		tc.store = nil
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1091,7 +1091,7 @@ var _ = Describe("PushSecret controller", func() {
 		tc.store = nil
 		tc.store = nil
 		tc.pushsecret.Spec.SecretStoreRefs[0].Kind = "ClusterSecretStore"
 		tc.pushsecret.Spec.SecretStoreRefs[0].Kind = "ClusterSecretStore"
 		tc.pushsecret.Spec.SecretStoreRefs[0].Name = "unexisting"
 		tc.pushsecret.Spec.SecretStoreRefs[0].Name = "unexisting"
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1106,7 +1106,7 @@ var _ = Describe("PushSecret controller", func() {
 		fakeProvider.SetSecretFn = func() error {
 		fakeProvider.SetSecretFn = func() error {
 			return errors.New("boom")
 			return errors.New("boom")
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1118,10 +1118,10 @@ var _ = Describe("PushSecret controller", func() {
 	}
 	}
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	newClientFail := func(tc *testCase) {
 	newClientFail := func(tc *testCase) {
-		fakeProvider.NewFn = func(context.Context, esv1.GenericStore, client.Client, string) (esv1.SecretsClient, error) {
+		fakeProvider.NewFn = func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 			return nil, errors.New("boom")
 			return nil, errors.New("boom")
 		}
 		}
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			expected := v1alpha1.PushSecretStatusCondition{
 			expected := v1alpha1.PushSecretStatusCondition{
 				Type:    v1alpha1.PushSecretReady,
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Status:  v1.ConditionFalse,
@@ -1169,7 +1169,7 @@ var _ = Describe("PushSecret controller", func() {
 		}
 		}
 		// Should not select the SecretStore in a different namespace
 		// Should not select the SecretStore in a different namespace
 		// (if so, it would fail to find it in the same namespace and be reflected in the status)
 		// (if so, it would fail to find it in the same namespace and be reflected in the status)
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			// Assert that the status is never updated (no SecretStores found)
 			// Assert that the status is never updated (no SecretStores found)
 			Consistently(func() bool {
 			Consistently(func() bool {
 				err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(ps), ps)
 				err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(ps), ps)
@@ -1209,7 +1209,7 @@ var _ = Describe("PushSecret controller", func() {
 			},
 			},
 		}
 		}
 
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(_ *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			Eventually(func() bool {
 			Eventually(func() bool {
 				// We should not be able to reference a secret across namespaces,
 				// We should not be able to reference a secret across namespaces,
 				// the map should be empty.
 				// the map should be empty.
@@ -1495,7 +1495,7 @@ var _ = Describe("PushSecret Controller Un/Managed Stores", func() {
 			},
 			},
 		}
 		}
 
 
-		tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
+		tc.assert = func(ps *v1alpha1.PushSecret, _ *v1.Secret) bool {
 			return len(ps.Status.Conditions) == 0
 			return len(ps.Status.Conditions) == 0
 		}
 		}
 	}
 	}

+ 4 - 0
pkg/controllers/secretstore/client_manager.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package secretstore implements the controllers for managing SecretStore resources
 package secretstore
 package secretstore
 
 
 import (
 import (
@@ -77,6 +78,9 @@ func NewManager(ctrlClient client.Client, controllerClass string, enableFloodgat
 	}
 	}
 }
 }
 
 
+// GetFromStore returns a provider client from the given store.
+// Do not close the client returned from this func, instead close
+// the manager once you're done with reconciling the external secret.
 func (m *Manager) GetFromStore(ctx context.Context, store esv1.GenericStore, namespace string) (esv1.SecretsClient, error) {
 func (m *Manager) GetFromStore(ctx context.Context, store esv1.GenericStore, namespace string) (esv1.SecretsClient, error) {
 	storeProvider, err := esv1.GetProvider(store)
 	storeProvider, err := esv1.GetProvider(store)
 	if err != nil {
 	if err != nil {

+ 4 - 4
pkg/controllers/secretstore/client_manager_test.go

@@ -142,7 +142,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: defaultStore.Namespace,
 				namespace: defaultStore.Namespace,
 				sourceRef: nil,
 				sourceRef: nil,
 			},
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				return clientA, nil
 				return clientA, nil
 			},
 			},
 			verify: func(sc esv1.SecretsClient) {
 			verify: func(sc esv1.SecretsClient) {
@@ -184,7 +184,7 @@ func TestManagerGet(t *testing.T) {
 				},
 				},
 				namespace: defaultStore.Namespace,
 				namespace: defaultStore.Namespace,
 			},
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				return clientB, nil
 				return clientB, nil
 			},
 			},
 			verify: func(sc esv1.SecretsClient) {
 			verify: func(sc esv1.SecretsClient) {
@@ -226,7 +226,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: defaultStore.Namespace,
 				namespace: defaultStore.Namespace,
 				sourceRef: nil,
 				sourceRef: nil,
 			},
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				// constructor should not be called,
 				// constructor should not be called,
 				// the client from the cache should be returned instead
 				// the client from the cache should be returned instead
 				t.Fail()
 				t.Fail()
@@ -272,7 +272,7 @@ func TestManagerGet(t *testing.T) {
 				namespace: otherStore.Namespace,
 				namespace: otherStore.Namespace,
 				sourceRef: nil,
 				sourceRef: nil,
 			},
 			},
-			clientConstructor: func(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
+			clientConstructor: func(_ context.Context, _ esv1.GenericStore, _ client.Client, _ string) (esv1.SecretsClient, error) {
 				// because there is a store mismatch
 				// because there is a store mismatch
 				// we create a new client
 				// we create a new client
 				return clientB, nil
 				return clientB, nil

+ 4 - 0
pkg/controllers/secretstore/clustersecretstore_controller.go

@@ -50,6 +50,10 @@ type ClusterStoreReconciler struct {
 	PushSecretEnabled bool
 	PushSecretEnabled bool
 }
 }
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *ClusterStoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *ClusterStoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("clustersecretstore", req.NamespacedName)
 	log := r.Log.WithValues("clustersecretstore", req.NamespacedName)
 
 

+ 12 - 10
pkg/controllers/secretstore/common.go

@@ -36,16 +36,17 @@ import (
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore/metrics"
 
 
+	// Load registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
 )
 )
 
 
 const (
 const (
-	errStoreClient         = "could not get provider client: %w"
-	errValidationFailed    = "could not validate provider: %w"
-	errValidationUnknown   = "could not determine validation status"
-	errPatchStatus         = "unable to patch status: %w"
-	errUnableCreateClient  = "unable to create client"
-	errUnableValidateStore = "unable to validate store"
+	errStoreClient          = "could not get provider client: %w"
+	errValidationFailed     = "could not validate provider: %w"
+	errValidationUnknownMsg = "could not determine validation status"
+	errPatchStatus          = "unable to patch status: %w"
+	errUnableCreateClient   = "unable to create client"
+	errUnableValidateStore  = "unable to validate store"
 
 
 	msgStoreValidated     = "store validated"
 	msgStoreValidated     = "store validated"
 	msgStoreNotMaintained = "store isn't currently maintained. Please plan and prepare accordingly."
 	msgStoreNotMaintained = "store isn't currently maintained. Please plan and prepare accordingly."
@@ -54,8 +55,9 @@ const (
 	secretStoreFinalizer = "secretstore.externalsecrets.io/finalizer"
 	secretStoreFinalizer = "secretstore.externalsecrets.io/finalizer"
 )
 )
 
 
-var validationUnknownError = errors.New("could not determine validation status")
+var errValidationUnknown = errors.New(errValidationUnknownMsg)
 
 
+// Opts holds the options for the reconcile function.
 type Opts struct {
 type Opts struct {
 	ControllerClass string
 	ControllerClass string
 	GaugeVecGetter  metrics.GaugeVevGetter
 	GaugeVecGetter  metrics.GaugeVevGetter
@@ -107,7 +109,7 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 		log.Error(err, "unable to validate store")
 		log.Error(err, "unable to validate store")
 		// in case of validation status unknown, validateStore will mark
 		// in case of validation status unknown, validateStore will mark
 		// the store as ready but we should show ReasonValidationUnknown
 		// the store as ready but we should show ReasonValidationUnknown
-		if errors.Is(err, validationUnknownError) {
+		if errors.Is(err, errValidationUnknown) {
 			return ctrl.Result{RequeueAfter: requeueInterval}, nil
 			return ctrl.Result{RequeueAfter: requeueInterval}, nil
 		}
 		}
 		return ctrl.Result{}, err
 		return ctrl.Result{}, err
@@ -161,10 +163,10 @@ func validateStore(ctx context.Context, namespace, controllerClass string, store
 	validationResult, err := cl.Validate()
 	validationResult, err := cl.Validate()
 	if err != nil {
 	if err != nil {
 		if validationResult == esapi.ValidationResultUnknown {
 		if validationResult == esapi.ValidationResultUnknown {
-			cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionTrue, esapi.ReasonValidationUnknown, errValidationUnknown)
+			cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionTrue, esapi.ReasonValidationUnknown, errValidationUnknownMsg)
 			SetExternalSecretCondition(store, *cond, gaugeVecGetter)
 			SetExternalSecretCondition(store, *cond, gaugeVecGetter)
 			recorder.Event(store, v1.EventTypeWarning, esapi.ReasonValidationUnknown, err.Error())
 			recorder.Event(store, v1.EventTypeWarning, esapi.ReasonValidationUnknown, err.Error())
-			return validationUnknownError
+			return errValidationUnknown
 		}
 		}
 		cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionFalse, esapi.ReasonInvalidProviderConfig, errUnableValidateStore)
 		cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionFalse, esapi.ReasonInvalidProviderConfig, errUnableValidateStore)
 		SetExternalSecretCondition(store, *cond, gaugeVecGetter)
 		SetExternalSecretCondition(store, *cond, gaugeVecGetter)

+ 6 - 1
pkg/controllers/secretstore/cssmetrics/cssmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package cssmetrics provides metrics for ClusterSecretStore controllers.
 package cssmetrics
 package cssmetrics
 
 
 import (
 import (
@@ -25,7 +26,10 @@ import (
 )
 )
 
 
 const (
 const (
-	ClusterSecretStoreSubsystem            = "clustersecretstore"
+	// ClusterSecretStoreSubsystem is the subsystem name for ClusterSecretStore metrics.
+	ClusterSecretStoreSubsystem = "clustersecretstore"
+
+	// ClusterSecretStoreReconcileDurationKey is the key for the reconcile duration metric.
 	ClusterSecretStoreReconcileDurationKey = "reconcile_duration"
 	ClusterSecretStoreReconcileDurationKey = "reconcile_duration"
 )
 )
 
 
@@ -54,6 +58,7 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// GetGaugeVec retrieves a Prometheus GaugeVec based on the provided key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }

+ 4 - 0
pkg/controllers/secretstore/metrics/metrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package metrics provides metrics for SecretStore controllers.
 package metrics
 package metrics
 
 
 import (
 import (
@@ -24,10 +25,13 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 )
 )
 
 
+// StatusConditionKey is the key for the status condition metric.
 const StatusConditionKey = "status_condition"
 const StatusConditionKey = "status_condition"
 
 
+// GaugeVevGetter is a function type that retrieves a Prometheus GaugeVec based on a provided key.
 type GaugeVevGetter func(key string) *prometheus.GaugeVec
 type GaugeVevGetter func(key string) *prometheus.GaugeVec
 
 
+// UpdateStatusCondition updates the condition metrics for a SecretStore.
 func UpdateStatusCondition(ss esapi.GenericStore, condition esapi.SecretStoreStatusCondition, gaugeVecGetter GaugeVevGetter) {
 func UpdateStatusCondition(ss esapi.GenericStore, condition esapi.SecretStoreStatusCondition, gaugeVecGetter GaugeVevGetter) {
 	ssInfo := make(map[string]string)
 	ssInfo := make(map[string]string)
 	ssInfo["name"] = ss.GetName()
 	ssInfo["name"] = ss.GetName()

+ 4 - 0
pkg/controllers/secretstore/secretstore_controller.go

@@ -50,6 +50,10 @@ type StoreReconciler struct {
 	PushSecretEnabled bool
 	PushSecretEnabled bool
 }
 }
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile
 func (r *StoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *StoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("secretstore", req.NamespacedName)
 	log := r.Log.WithValues("secretstore", req.NamespacedName)
 
 

+ 6 - 1
pkg/controllers/secretstore/ssmetrics/ssmetrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package ssmetrics provides metrics for SecretStore controllers.
 package ssmetrics
 package ssmetrics
 
 
 import (
 import (
@@ -25,7 +26,10 @@ import (
 )
 )
 
 
 const (
 const (
-	SecretStoreSubsystem            = "secretstore"
+	// SecretStoreSubsystem is the subsystem name for SecretStore metrics.
+	SecretStoreSubsystem = "secretstore"
+
+	// SecretStoreReconcileDurationKey is the key for the reconcile duration metric.
 	SecretStoreReconcileDurationKey = "reconcile_duration"
 	SecretStoreReconcileDurationKey = "reconcile_duration"
 )
 )
 
 
@@ -54,6 +58,7 @@ func SetUpMetrics() {
 	}
 	}
 }
 }
 
 
+// GetGaugeVec returns the GaugeVec for the given key.
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 func GetGaugeVec(key string) *prometheus.GaugeVec {
 	return gaugeVecMetrics[key]
 	return gaugeVecMetrics[key]
 }
 }

+ 11 - 0
pkg/controllers/templating/parser.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package templating provides functionality for templating secret data.
 package templating
 package templating
 
 
 import (
 import (
@@ -40,6 +41,7 @@ var (
 	errExecTpl          = "could not execute template: %w"
 	errExecTpl          = "could not execute template: %w"
 )
 )
 
 
+// Parser is responsible for parsing and merging templates into a target secret.
 type Parser struct {
 type Parser struct {
 	Exec         template.ExecFunc
 	Exec         template.ExecFunc
 	DataMap      map[string][]byte
 	DataMap      map[string][]byte
@@ -50,6 +52,7 @@ type Parser struct {
 	TemplateFromSecret    *v1.Secret
 	TemplateFromSecret    *v1.Secret
 }
 }
 
 
+// MergeConfigMap merges the configmap template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeConfigMap(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 func (p *Parser) MergeConfigMap(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 	if tpl.ConfigMap == nil {
 	if tpl.ConfigMap == nil {
 		return nil
 		return nil
@@ -88,6 +91,7 @@ func (p *Parser) MergeConfigMap(ctx context.Context, namespace string, tpl esv1.
 	return nil
 	return nil
 }
 }
 
 
+// MergeSecret merges the secret template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeSecret(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 func (p *Parser) MergeSecret(ctx context.Context, namespace string, tpl esv1.TemplateFrom) error {
 	if tpl.Secret == nil {
 	if tpl.Secret == nil {
 		return nil
 		return nil
@@ -126,6 +130,7 @@ func (p *Parser) MergeSecret(ctx context.Context, namespace string, tpl esv1.Tem
 	return nil
 	return nil
 }
 }
 
 
+// MergeLiteral merges the literal template specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeLiteral(_ context.Context, tpl esv1.TemplateFrom) error {
 func (p *Parser) MergeLiteral(_ context.Context, tpl esv1.TemplateFrom) error {
 	if tpl.Literal == nil {
 	if tpl.Literal == nil {
 		return nil
 		return nil
@@ -135,6 +140,7 @@ func (p *Parser) MergeLiteral(_ context.Context, tpl esv1.TemplateFrom) error {
 	return p.Exec(out, p.DataMap, esv1.TemplateScopeKeysAndValues, tpl.Target, p.TargetSecret)
 	return p.Exec(out, p.DataMap, esv1.TemplateScopeKeysAndValues, tpl.Target, p.TargetSecret)
 }
 }
 
 
+// MergeTemplateFrom merges all templates specified in the ExternalSecretTemplate's TemplateFrom field.
 func (p *Parser) MergeTemplateFrom(ctx context.Context, namespace string, template *esv1.ExternalSecretTemplate) error {
 func (p *Parser) MergeTemplateFrom(ctx context.Context, namespace string, template *esv1.ExternalSecretTemplate) error {
 	if template == nil {
 	if template == nil {
 		return nil
 		return nil
@@ -157,6 +163,7 @@ func (p *Parser) MergeTemplateFrom(ctx context.Context, namespace string, templa
 	return nil
 	return nil
 }
 }
 
 
+// MergeMap merges the given map of templates into the target secret.
 func (p *Parser) MergeMap(tplMap map[string]string, target esv1.TemplateTarget) error {
 func (p *Parser) MergeMap(tplMap map[string]string, target esv1.TemplateTarget) error {
 	byteMap := make(map[string][]byte)
 	byteMap := make(map[string][]byte)
 	for k, v := range tplMap {
 	for k, v := range tplMap {
@@ -169,6 +176,7 @@ func (p *Parser) MergeMap(tplMap map[string]string, target esv1.TemplateTarget)
 	return nil
 	return nil
 }
 }
 
 
+// GetManagedAnnotationKeys returns the keys of the annotations managed by the given field owner.
 func GetManagedAnnotationKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 func GetManagedAnnotationKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 		metadataFields, exists := fields["f:metadata"]
 		metadataFields, exists := fields["f:metadata"]
@@ -195,6 +203,9 @@ func GetManagedAnnotationKeys(secret *v1.Secret, fieldOwner string) ([]string, e
 	})
 	})
 }
 }
 
 
+// GetManagedLabelKeys returns the keys of labels that are managed by the given field owner.
+// It checks the ManagedFields of the secret for entries with the specified field owner
+// and extracts the keys of the labels from the fields managed by that owner.
 func GetManagedLabelKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 func GetManagedLabelKeys(secret *v1.Secret, fieldOwner string) ([]string, error) {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 	return getManagedFieldKeys(secret, fieldOwner, func(fields map[string]any) []string {
 		metadataFields, exists := fields["f:metadata"]
 		metadataFields, exists := fields["f:metadata"]

+ 8 - 3
pkg/controllers/util/util.go

@@ -13,26 +13,31 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
-package util
+
+// Package ctrlutil provides utility functions for controllers.
+package ctrlutil
 
 
 import (
 import (
 	"fmt"
 	"fmt"
 
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
+// GetResourceVersion returns a string representing the resource version of the object.
+// It is a combination of the generation and a hash of the labels and annotations.
 func GetResourceVersion(meta metav1.ObjectMeta) string {
 func GetResourceVersion(meta metav1.ObjectMeta) string {
 	return fmt.Sprintf("%d-%s", meta.GetGeneration(), HashMeta(meta))
 	return fmt.Sprintf("%d-%s", meta.GetGeneration(), HashMeta(meta))
 }
 }
 
 
+// HashMeta returns a hash of the metadata's labels and annotations.
 func HashMeta(m metav1.ObjectMeta) string {
 func HashMeta(m metav1.ObjectMeta) string {
 	type meta struct {
 	type meta struct {
 		annotations map[string]string
 		annotations map[string]string
 		labels      map[string]string
 		labels      map[string]string
 	}
 	}
-	return utils.ObjectHash(meta{
+	return esutils.ObjectHash(meta{
 		annotations: m.Annotations,
 		annotations: m.Annotations,
 		labels:      m.Labels,
 		labels:      m.Labels,
 	})
 	})

+ 17 - 2
pkg/controllers/webhookconfig/webhookconfig.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package webhookconfig contains the controller for the WebhookConfig resource.
 package webhookconfig
 package webhookconfig
 
 
 import (
 import (
@@ -25,7 +26,7 @@ import (
 	"sync"
 	"sync"
 	"time"
 	"time"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/go-logr/logr"
 	"github.com/go-logr/logr"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	v1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
@@ -41,6 +42,8 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 )
 )
 
 
+// Reconciler reconciles a ValidatingWebhookConfiguration object
+// and updates it with the CA bundle from the given secret.
 type Reconciler struct {
 type Reconciler struct {
 	client.Client
 	client.Client
 	Log             logr.Logger
 	Log             logr.Logger
@@ -61,6 +64,7 @@ type Reconciler struct {
 	webhookReady   bool
 	webhookReady   bool
 }
 }
 
 
+// Opts are the options for the webhookconfig controller Reconciler.
 type Opts struct {
 type Opts struct {
 	SvcName         string
 	SvcName         string
 	SvcNamespace    string
 	SvcNamespace    string
@@ -69,6 +73,9 @@ type Opts struct {
 	RequeueInterval time.Duration
 	RequeueInterval time.Duration
 }
 }
 
 
+// New returns a new Reconciler.
+// The controller will watch ValidatingWebhookConfiguration resources
+// and update them with the CA bundle from the given secret.
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, log logr.Logger, opts Opts) *Reconciler {
 func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan struct{}, log logr.Logger, opts Opts) *Reconciler {
 	return &Reconciler{
 	return &Reconciler{
 		Client:          k8sClient,
 		Client:          k8sClient,
@@ -87,6 +94,7 @@ func New(k8sClient client.Client, scheme *runtime.Scheme, leaderChan <-chan stru
 }
 }
 
 
 const (
 const (
+	// ReasonUpdateFailed is used when we fail to update the webhook config.
 	ReasonUpdateFailed = "UpdateFailed"
 	ReasonUpdateFailed = "UpdateFailed"
 	errWebhookNotReady = "webhook not ready"
 	errWebhookNotReady = "webhook not ready"
 	errCACertNotReady  = "ca cert not yet ready"
 	errCACertNotReady  = "ca cert not yet ready"
@@ -94,6 +102,10 @@ const (
 	caCertName = "ca.crt"
 	caCertName = "ca.crt"
 )
 )
 
 
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// In this case, we reconcile ValidatingWebhookConfiguration resources
+// that are labeled with the well-known label key and value.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithValues("Webhookconfig", req.NamespacedName)
 	log := r.Log.WithValues("Webhookconfig", req.NamespacedName)
 	var cfg admissionregistration.ValidatingWebhookConfiguration
 	var cfg admissionregistration.ValidatingWebhookConfiguration
@@ -130,6 +142,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}, nil
 	}, nil
 }
 }
 
 
+// SetupWithManager sets up the controller with the Manager.
+// Also initializes the event recorder.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 	r.recorder = mgr.GetEventRecorderFor("validating-webhook-configuration")
 	r.recorder = mgr.GetEventRecorderFor("validating-webhook-configuration")
 	return ctrl.NewControllerManagedBy(mgr).
 	return ctrl.NewControllerManagedBy(mgr).
@@ -138,6 +152,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 		Complete(r)
 		Complete(r)
 }
 }
 
 
+// ReadyCheck does a readiness check for the webhook using the endpoint slices.
 func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 	// skip readiness check if we're not leader
 	// skip readiness check if we're not leader
 	// as we depend on caches and being able to reconcile Webhooks
 	// as we depend on caches and being able to reconcile Webhooks
@@ -155,7 +170,7 @@ func (r *Reconciler) ReadyCheck(_ *http.Request) error {
 		return errors.New(errWebhookNotReady)
 		return errors.New(errWebhookNotReady)
 	}
 	}
 
 
-	return utils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
+	return esutils.CheckEndpointSlicesReady(context.TODO(), r.Client, r.SvcName, r.SvcNamespace)
 }
 }
 
 
 // reads the ca cert and updates the webhook config.
 // reads the ca cert and updates the webhook config.

+ 11 - 3
pkg/utils/metadata/metadata.go → pkg/esutils/metadata/metadata.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package metadata provides functionality for handling metadata for pushed secrets.
 package metadata
 package metadata
 
 
 import (
 import (
@@ -24,14 +25,21 @@ import (
 )
 )
 
 
 const (
 const (
+	// APIVersion is the apiVersion for PushSecretMetadata.
 	APIVersion = "kubernetes.external-secrets.io/v1alpha1"
 	APIVersion = "kubernetes.external-secrets.io/v1alpha1"
-	Kind       = "PushSecretMetadata"
+	// Kind is the kind for PushSecretMetadata.
+	Kind = "PushSecretMetadata"
 )
 )
 
 
+// PushSecretMetadata represents metadata associated with a pushed secret.
+// T represents the type of custom metadata that can be associated with the secret.
 type PushSecretMetadata[T any] struct {
 type PushSecretMetadata[T any] struct {
-	Kind       string `json:"kind"`
+	// Kind is the type of the resource.
+	Kind string `json:"kind"`
+	// APIVersion is the version of the API.
 	APIVersion string `json:"apiVersion"`
 	APIVersion string `json:"apiVersion"`
-	Spec       T      `json:"spec,omitempty"`
+	// Spec holds the specific metadata for the pushed secret.
+	Spec T `json:"spec,omitempty"`
 }
 }
 
 
 // ParseMetadataParameters parses metadata with an arbitrary Spec.
 // ParseMetadataParameters parses metadata with an arbitrary Spec.

+ 0 - 0
pkg/utils/resolvers/generator.go → pkg/esutils/resolvers/generator.go


+ 1 - 1
pkg/utils/resolvers/secret_ref.go → pkg/esutils/resolvers/secret_ref.go

@@ -30,7 +30,7 @@ import (
 
 
 const (
 const (
 
 
-	// This is used to determine if a store is cluster-scoped or not.
+	// EmptyStoreKind is used to determine if a store is cluster-scoped or not.
 	// The EmptyStoreKind is not cluster-scoped, hence resources
 	// The EmptyStoreKind is not cluster-scoped, hence resources
 	// cannot be resolved across namespaces.
 	// cannot be resolved across namespaces.
 	// TODO: when we implement cluster-scoped generators
 	// TODO: when we implement cluster-scoped generators

+ 0 - 0
pkg/utils/resolvers/secret_ref_test.go → pkg/esutils/resolvers/secret_ref_test.go


+ 22 - 5
pkg/utils/utils.go → pkg/esutils/utils.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package utils
+// Package esutils provides utility functions for the external-secrets resources.
+package esutils
 
 
 import (
 import (
 	"bytes"
 	"bytes"
@@ -54,8 +55,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
 	"github.com/external-secrets/external-secrets/pkg/template/v2"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 const (
 const (
@@ -87,6 +88,7 @@ func MergeByteMap(dst, src map[string][]byte) map[string][]byte {
 	return dst
 	return dst
 }
 }
 
 
+// RewriteMap applies a series of rewrite operations to the input map.
 func RewriteMap(operations []esv1.ExternalSecretRewrite, in map[string][]byte) (map[string][]byte, error) {
 func RewriteMap(operations []esv1.ExternalSecretRewrite, in map[string][]byte) (map[string][]byte, error) {
 	out := in
 	out := in
 	var err error
 	var err error
@@ -265,6 +267,7 @@ func DecodeMap(strategy esv1.ExternalSecretDecodingStrategy, in map[string][]byt
 	return out, nil
 	return out, nil
 }
 }
 
 
+// Decode decodes the input byte slice according to the provided decoding strategy.
 func Decode(strategy esv1.ExternalSecretDecodingStrategy, in []byte) ([]byte, error) {
 func Decode(strategy esv1.ExternalSecretDecodingStrategy, in []byte) ([]byte, error) {
 	switch strategy {
 	switch strategy {
 	case esv1.ExternalSecretDecodeBase64:
 	case esv1.ExternalSecretDecodeBase64:
@@ -410,10 +413,13 @@ func MergeStringMap(dest, src map[string]string) {
 }
 }
 
 
 var (
 var (
+	// ErrUnexpectedKey is returned when an unexpected key is found in the data.
 	ErrUnexpectedKey = errors.New("unexpected key in data")
 	ErrUnexpectedKey = errors.New("unexpected key in data")
-	ErrSecretType    = errors.New("can not handle secret value with type")
+	// ErrSecretType is returned when a secret value cannot be handled due to its type.
+	ErrSecretType = errors.New("can not handle secret value with type")
 )
 )
 
 
+// GetByteValueFromMap retrieves a byte value from a map by key.
 func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
 func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
 	v, ok := data[key]
 	v, ok := data[key]
 	if !ok {
 	if !ok {
@@ -421,6 +427,8 @@ func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
 	}
 	}
 	return GetByteValue(v)
 	return GetByteValue(v)
 }
 }
+
+// GetByteValue converts an interface value to a byte slice.
 func GetByteValue(v any) ([]byte, error) {
 func GetByteValue(v any) ([]byte, error) {
 	switch t := v.(type) {
 	switch t := v.(type) {
 	case string:
 	case string:
@@ -467,6 +475,7 @@ func ObjectHash(object any) string {
 	return fmt.Sprintf("%x", sha3.Sum224([]byte(textualVersion)))
 	return fmt.Sprintf("%x", sha3.Sum224([]byte(textualVersion)))
 }
 }
 
 
+// ErrorContains checks if the error message contains the specified substring.
 func ErrorContains(out error, want string) bool {
 func ErrorContains(out error, want string) bool {
 	if out == nil {
 	if out == nil {
 		return want == ""
 		return want == ""
@@ -534,6 +543,7 @@ func ValidateReferentServiceAccountSelector(store esv1.GenericStore, ref esmeta.
 	return nil
 	return nil
 }
 }
 
 
+// NetworkValidate checks if a network endpoint is reachable within the given timeout.
 func NetworkValidate(endpoint string, timeout time.Duration) error {
 func NetworkValidate(endpoint string, timeout time.Duration) error {
 	hostname, err := url.Parse(endpoint)
 	hostname, err := url.Parse(endpoint)
 
 
@@ -559,6 +569,7 @@ func NetworkValidate(endpoint string, timeout time.Duration) error {
 	return nil
 	return nil
 }
 }
 
 
+// Deref returns the value pointed to by v, or the zero value if v is nil.
 func Deref[V any](v *V) V {
 func Deref[V any](v *V) V {
 	if v == nil {
 	if v == nil {
 		// Create zero value
 		// Create zero value
@@ -568,10 +579,12 @@ func Deref[V any](v *V) V {
 	return *v
 	return *v
 }
 }
 
 
+// Ptr returns a pointer to the given value.
 func Ptr[T any](i T) *T {
 func Ptr[T any](i T) *T {
 	return &i
 	return &i
 }
 }
 
 
+// ConvertToType converts an object to the specified type using JSON marshaling.
 func ConvertToType[T any](obj any) (T, error) {
 func ConvertToType[T any](obj any) (T, error) {
 	var v T
 	var v T
 
 
@@ -629,6 +642,7 @@ func dig[T any](key string, data map[string]any) (t T, _ error) {
 	return t, errKeyNotFound
 	return t, errKeyNotFound
 }
 }
 
 
+// CompareStringAndByteSlices compares a string pointer and a byte slice for equality.
 func CompareStringAndByteSlices(valueString *string, valueByte []byte) bool {
 func CompareStringAndByteSlices(valueString *string, valueByte []byte) bool {
 	if valueString == nil {
 	if valueString == nil {
 		return false
 		return false
@@ -637,6 +651,7 @@ func CompareStringAndByteSlices(valueString *string, valueByte []byte) bool {
 	return bytes.Equal(valueByte, []byte(*valueString))
 	return bytes.Equal(valueByte, []byte(*valueString))
 }
 }
 
 
+// ExtractSecretData extracts secret data from a Kubernetes Secret based on PushSecretData configuration.
 func ExtractSecretData(data esv1.PushSecretData, secret *corev1.Secret) ([]byte, error) {
 func ExtractSecretData(data esv1.PushSecretData, secret *corev1.Secret) ([]byte, error) {
 	var (
 	var (
 		err   error
 		err   error
@@ -756,7 +771,7 @@ func GetTargetNamespaces(ctx context.Context, cl client.Client, namespaceList []
 // NamespacePredicate can be used to watch for new or updated or deleted namespaces.
 // NamespacePredicate can be used to watch for new or updated or deleted namespaces.
 func NamespacePredicate() predicate.Predicate {
 func NamespacePredicate() predicate.Predicate {
 	return predicate.Funcs{
 	return predicate.Funcs{
-		CreateFunc: func(e event.CreateEvent) bool {
+		CreateFunc: func(_ event.CreateEvent) bool {
 			return true
 			return true
 		},
 		},
 		UpdateFunc: func(e event.UpdateEvent) bool {
 		UpdateFunc: func(e event.UpdateEvent) bool {
@@ -765,7 +780,7 @@ func NamespacePredicate() predicate.Predicate {
 			}
 			}
 			return !reflect.DeepEqual(e.ObjectOld.GetLabels(), e.ObjectNew.GetLabels())
 			return !reflect.DeepEqual(e.ObjectOld.GetLabels(), e.ObjectNew.GetLabels())
 		},
 		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
+		DeleteFunc: func(_ event.DeleteEvent) bool {
 			return true
 			return true
 		},
 		},
 	}
 	}
@@ -840,6 +855,8 @@ func getCertFromConfigMap(ctx context.Context, namespace string, c client.Client
 	return []byte(val), nil
 	return []byte(val), nil
 }
 }
 
 
+// CheckEndpointSlicesReady checks if there are any EndpointSlice objects for the given service
+// that have ready addresses.
 func CheckEndpointSlicesReady(ctx context.Context, c client.Client, svcName, svcNamespace string) error {
 func CheckEndpointSlicesReady(ctx context.Context, c client.Client, svcName, svcNamespace string) error {
 	var sliceList discoveryv1.EndpointSliceList
 	var sliceList discoveryv1.EndpointSliceList
 	err := c.List(ctx, &sliceList,
 	err := c.List(ctx, &sliceList,

+ 1 - 1
pkg/utils/utils_test.go → pkg/esutils/utils_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package utils
+package esutils
 
 
 import (
 import (
 	"encoding/json"
 	"encoding/json"

+ 1 - 0
pkg/feature/feature.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package feature provides functionality related to feature flags and feature management.
 package feature
 package feature
 
 
 import (
 import (

+ 4 - 0
pkg/find/find.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package find provides utilities for matching names against regular expressions.
 package find
 package find
 
 
 import (
 import (
@@ -23,10 +24,12 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 )
 
 
+// Matcher represents a pattern matcher that uses regular expressions to match names.
 type Matcher struct {
 type Matcher struct {
 	re *regexp.Regexp
 	re *regexp.Regexp
 }
 }
 
 
+// New creates a new Matcher using the provided FindName configuration.
 func New(findName esv1.FindName) (*Matcher, error) {
 func New(findName esv1.FindName) (*Matcher, error) {
 	cmp, err := regexp.Compile(findName.RegExp)
 	cmp, err := regexp.Compile(findName.RegExp)
 	if err != nil {
 	if err != nil {
@@ -37,6 +40,7 @@ func New(findName esv1.FindName) (*Matcher, error) {
 	}, nil
 	}, nil
 }
 }
 
 
+// MatchName checks if the given name matches the configured regular expression pattern.
 func (m *Matcher) MatchName(name string) bool {
 func (m *Matcher) MatchName(name string) bool {
 	return m.re.MatchString(name)
 	return m.re.MatchString(name)
 }
 }

+ 5 - 1
pkg/generator/acr/acr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package acr provides functionality for generating authentication tokens for Azure Container Registry.
 package acr
 package acr
 
 
 import (
 import (
@@ -47,12 +48,14 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault"
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault"
 )
 )
 
 
+// Generator implements ACR token generation functionality.
 type Generator struct {
 type Generator struct {
 	clientSecretCreds clientSecretCredentialFunc
 	clientSecretCreds clientSecretCredentialFunc
 }
 }
 
 
 type clientSecretCredentialFunc func(tenantID string, clientID string, clientSecret string, options *azidentity.ClientSecretCredentialOptions) (TokenGetter, error)
 type clientSecretCredentialFunc func(tenantID string, clientID string, clientSecret string, options *azidentity.ClientSecretCredentialOptions) (TokenGetter, error)
 
 
+// TokenGetter defines an interface for obtaining Azure access tokens.
 type TokenGetter interface {
 type TokenGetter interface {
 	GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)
 	GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)
 }
 }
@@ -96,7 +99,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 		fetchACRRefreshToken)
 		fetchACRRefreshToken)
 }
 }
 
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 12 - 9
pkg/generator/cloudsmith/cloudsmith.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package cloudsmith implements a generator for Cloudsmith access tokens using OIDC.
 package cloudsmith
 package cloudsmith
 
 
 import (
 import (
@@ -34,18 +35,21 @@ import (
 	"sigs.k8s.io/yaml"
 	"sigs.k8s.io/yaml"
 
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
+// Generator implements the Cloudsmith access token generator.
 type Generator struct {
 type Generator struct {
 	httpClient *http.Client
 	httpClient *http.Client
 }
 }
 
 
+// OIDCRequest represents the payload sent to Cloudsmith for OIDC token exchange.
 type OIDCRequest struct {
 type OIDCRequest struct {
 	OIDCToken   string `json:"oidc_token"`
 	OIDCToken   string `json:"oidc_token"`
 	ServiceSlug string `json:"service_slug"`
 	ServiceSlug string `json:"service_slug"`
 }
 }
 
 
+// OIDCResponse represents the response from Cloudsmith containing the access token.
 type OIDCResponse struct {
 type OIDCResponse struct {
 	Token string `json:"token"`
 	Token string `json:"token"`
 }
 }
@@ -66,6 +70,7 @@ const (
 	httpClientTimeout = 30 * time.Second
 	httpClientTimeout = 30 * time.Second
 )
 )
 
 
+// Generate generates a Cloudsmith access token using the provided cloudsmith JSON spec.
 func (g *Generator) Generate(ctx context.Context, cloudsmithSpec *apiextensions.JSON, kubeClient client.Client, targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, cloudsmithSpec *apiextensions.JSON, kubeClient client.Client, targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		ctx,
 		ctx,
@@ -75,15 +80,13 @@ func (g *Generator) Generate(ctx context.Context, cloudsmithSpec *apiextensions.
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, cloudsmithSpec *apiextensions.JSON, providerState genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup is a no-op for the Cloudsmith generator.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 
-func (g *Generator) generate(
-	ctx context.Context,
-	cloudsmithSpec *apiextensions.JSON,
-	_ client.Client,
-	targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
+// generate performs the main logic of the Cloudsmith generator.
+func (g *Generator) generate(ctx context.Context, cloudsmithSpec *apiextensions.JSON, _ client.Client, targetNamespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	if cloudsmithSpec == nil {
 	if cloudsmithSpec == nil {
 		return nil, nil, errors.New(errNoSpec)
 		return nil, nil, errors.New(errNoSpec)
 	}
 	}
@@ -93,7 +96,7 @@ func (g *Generator) generate(
 	}
 	}
 
 
 	// Fetch the service account token
 	// Fetch the service account token
-	oidcToken, err := utils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, targetNamespace)
+	oidcToken, err := esutils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, targetNamespace)
 	if err != nil {
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 	}
 	}
@@ -108,7 +111,7 @@ func (g *Generator) generate(
 		return nil, nil, fmt.Errorf(errExchangeToken, err)
 		return nil, nil, fmt.Errorf(errExchangeToken, err)
 	}
 	}
 
 
-	exp, err := utils.ExtractJWTExpiration(accessToken)
+	exp, err := esutils.ExtractJWTExpiration(accessToken)
 	if err != nil {
 	if err != nil {
 		return nil, nil, err
 		return nil, nil, err
 	}
 	}

+ 3 - 3
pkg/generator/cloudsmith/cloudsmith_test.go

@@ -29,7 +29,7 @@ import (
 
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 const mockJWTToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature"
 const mockJWTToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature"
@@ -136,7 +136,7 @@ func TestCloudsmithGenerator_Generate(t *testing.T) {
 		// Mock JWT token with known payload
 		// Mock JWT token with known payload
 		mockToken := mockJWTToken
 		mockToken := mockJWTToken
 
 
-		claims, err := utils.ParseJWTClaims(mockToken)
+		claims, err := esutils.ParseJWTClaims(mockToken)
 		if err != nil {
 		if err != nil {
 			t.Fatalf("Failed to get claims: %v", err)
 			t.Fatalf("Failed to get claims: %v", err)
 		}
 		}
@@ -153,7 +153,7 @@ func TestCloudsmithGenerator_Generate(t *testing.T) {
 		// Mock JWT token with known exp claim
 		// Mock JWT token with known exp claim
 		mockToken := mockJWTToken
 		mockToken := mockJWTToken
 
 
-		exp, err := utils.ExtractJWTExpiration(mockToken)
+		exp, err := esutils.ExtractJWTExpiration(mockToken)
 		if err != nil {
 		if err != nil {
 			t.Fatalf("Failed to get token expiration: %v", err)
 			t.Fatalf("Failed to get token expiration: %v", err)
 		}
 		}

+ 5 - 1
pkg/generator/ecr/ecr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package ecr provides functionality for generating authentication tokens for AWS Elastic Container Registry.
 package ecr
 package ecr
 
 
 import (
 import (
@@ -44,6 +45,7 @@ type ecrPublicAPI interface {
 	GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFuncs ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error)
 	GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFuncs ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error)
 }
 }
 
 
+// Generator implements ECR token generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -54,11 +56,13 @@ const (
 	errGetPublicToken  = "unable to get public authorization token: %w"
 	errGetPublicToken  = "unable to get public authorization token: %w"
 )
 )
 
 
+// Generate creates an authentication token for AWS ECR.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(ctx, jsonSpec, kube, namespace, ecrPrivateFactory, ecrPublicFactory)
 	return g.generate(ctx, jsonSpec, kube, namespace, ecrPrivateFactory, ecrPublicFactory)
 }
 }
 
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 5 - 4
pkg/generator/ecr/resolver.go

@@ -31,15 +31,15 @@ import (
 )
 )
 
 
 const (
 const (
-	ECREndpointEnv       = "AWS_ECR_ENDPOINT"
+	// ECREndpointEnv is the environment variable name for specifying a custom ECR endpoint.
+	ECREndpointEnv = "AWS_ECR_ENDPOINT"
+	// ECRPublicEndpointEnv is the environment variable name for specifying a custom ECR Public endpoint.
 	ECRPublicEndpointEnv = "AWS_ECR_PUBLIC_ENDPOINT"
 	ECRPublicEndpointEnv = "AWS_ECR_PUBLIC_ENDPOINT"
 )
 )
 
 
 type ecrCustomEndpointResolver struct{}
 type ecrCustomEndpointResolver struct{}
 
 
-// ResolveEndpoint returns a ResolverFunc with
-// customizable endpoints.
-
+// ResolveEndpoint returns a ResolverFunc with customizable endpoints.
 func (c ecrCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecr.EndpointParameters) (smithyendpoints.Endpoint, error) {
 func (c ecrCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecr.EndpointParameters) (smithyendpoints.Endpoint, error) {
 	endpoint := smithyendpoints.Endpoint{}
 	endpoint := smithyendpoints.Endpoint{}
 	if v := os.Getenv(ECREndpointEnv); v != "" {
 	if v := os.Getenv(ECREndpointEnv); v != "" {
@@ -56,6 +56,7 @@ func (c ecrCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params e
 
 
 type ecrPublicCustomEndpointResolver struct{}
 type ecrPublicCustomEndpointResolver struct{}
 
 
+// ResolveEndpoint returns a ResolverFunc with customizable endpoints.
 func (c ecrPublicCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecrpublic.EndpointParameters) (smithyendpoints.Endpoint, error) {
 func (c ecrPublicCustomEndpointResolver) ResolveEndpoint(ctx context.Context, params ecrpublic.EndpointParameters) (smithyendpoints.Endpoint, error) {
 	endpoint := smithyendpoints.Endpoint{}
 	endpoint := smithyendpoints.Endpoint{}
 	if v := os.Getenv(ECRPublicEndpointEnv); v != "" {
 	if v := os.Getenv(ECRPublicEndpointEnv); v != "" {

+ 7 - 2
pkg/generator/gcr/gcr.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package gcr provides functionality for generating authentication tokens for Google Container Registry.
 package gcr
 package gcr
 
 
 import (
 import (
@@ -29,10 +30,11 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
+// Generator implements GCR token generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -43,6 +45,8 @@ const (
 	errGetToken  = "unable to get authorization token: %w"
 	errGetToken  = "unable to get authorization token: %w"
 )
 )
 
 
+// Generate creates an authentication token for Google Container Registry.
+// It retrieves the token using the GCP credentials and returns it in the expected format.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		ctx,
 		ctx,
@@ -53,7 +57,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 10 - 5
pkg/generator/github/github.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package github provides functionality for generating authentication tokens for GitHub.
 package github
 package github
 
 
 import (
 import (
@@ -36,10 +37,12 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Generator implements GitHub token generation functionality.
 type Generator struct {
 type Generator struct {
 	httpClient *http.Client
 	httpClient *http.Client
 }
 }
 
 
+// Github represents a GitHub instance configuration with authentication details.
 type Github struct {
 type Github struct {
 	HTTP         *http.Client
 	HTTP         *http.Client
 	Kube         client.Client
 	Kube         client.Client
@@ -62,6 +65,8 @@ const (
 	httpClientTimeout = 5 * time.Second
 	httpClientTimeout = 5 * time.Second
 )
 )
 
 
+// Generate creates an authentication token for GitHub.
+// It uses a GitHub App installation token to authenticate with GitHub API.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		ctx,
 		ctx,
@@ -71,7 +76,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, crClient client.Client, namespace string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 
@@ -186,12 +192,11 @@ func newGHClient(ctx context.Context, k client.Client, n string, hc *http.Client
 	return gh, nil
 	return gh, nil
 }
 }
 
 
-// Get github installation token.
+// GetInstallationToken generates a GitHub installation token using the provided private key and app ID.
 func GetInstallationToken(key *rsa.PrivateKey, aid string) (string, error) {
 func GetInstallationToken(key *rsa.PrivateKey, aid string) (string, error) {
 	claims := jwt.RegisteredClaims{
 	claims := jwt.RegisteredClaims{
-		Issuer:    aid,
-		IssuedAt:  jwt.NewNumericDate(time.Now().Add(-time.Second * 10)),
-		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * 300)),
+		Issuer:   aid,
+		IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Second * 10)),
 	}
 	}
 
 
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

+ 5 - 1
pkg/generator/grafana/grafana.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package grafana provides functionality for generating Grafana service account tokens.
 package grafana
 package grafana
 
 
 import (
 import (
@@ -33,11 +34,13 @@ import (
 
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
+// Grafana implements token generation for Grafana service accounts.
 type Grafana struct{}
 type Grafana struct{}
 
 
+// Generate creates a new Grafana service account token using the provided configuration.
 func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	gen, err := parseSpec(jsonSpec.Raw)
 	gen, err := parseSpec(jsonSpec.Raw)
 	if err != nil {
 	if err != nil {
@@ -68,6 +71,7 @@ func (w *Grafana) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kc
 	return tokenResponse(state, res.Payload.Key)
 	return tokenResponse(state, res.Payload.Key)
 }
 }
 
 
+// Cleanup handles any necessary cleanup after token generation.
 func (w *Grafana) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, previousStatus genv1alpha1.GeneratorProviderState, kclient client.Client, ns string) error {
 func (w *Grafana) Cleanup(ctx context.Context, jsonSpec *apiextensions.JSON, previousStatus genv1alpha1.GeneratorProviderState, kclient client.Client, ns string) error {
 	if previousStatus == nil {
 	if previousStatus == nil {
 		return fmt.Errorf("missing previous status")
 		return fmt.Errorf("missing previous status")

+ 6 - 1
pkg/generator/mfa/mfa.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package mfa provides functionality for generating multi-factor authentication tokens.
 package mfa
 package mfa
 
 
 import (
 import (
@@ -29,6 +30,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Generator implements MFA token generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -36,6 +38,8 @@ const (
 	errParseSpec = "unable to parse spec: %w"
 	errParseSpec = "unable to parse spec: %w"
 )
 )
 
 
+// Generate creates an MFA token based on the provided configuration.
+// It retrieves the seed from a Kubernetes secret and generates a time-based one-time password.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, c client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, c client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	if jsonSpec == nil {
 	if jsonSpec == nil {
 		return nil, nil, errors.New(errNoSpec)
 		return nil, nil, errors.New(errNoSpec)
@@ -79,7 +83,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	}, nil, nil
 	}, nil, nil
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 6 - 2
pkg/generator/password/password.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package password provides functionality for generating secure random passwords.
 package password
 package password
 
 
 import (
 import (
@@ -29,6 +30,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Generator implements secure random password generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -43,7 +45,7 @@ const (
 )
 )
 
 
 type generateFunc func(
 type generateFunc func(
-	len int,
+	length int,
 	symbols int,
 	symbols int,
 	symbolCharacters string,
 	symbolCharacters string,
 	digits int,
 	digits int,
@@ -51,6 +53,7 @@ type generateFunc func(
 	allowRepeat bool,
 	allowRepeat bool,
 ) (string, error)
 ) (string, error)
 
 
+// Generate creates a secure random password based on the provided configuration.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		jsonSpec,
 		jsonSpec,
@@ -58,7 +61,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after password generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 8 - 4
pkg/generator/quay/quay.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package quay provides functionality for generating authentication tokens for Quay container registry.
 package quay
 package quay
 
 
 import (
 import (
@@ -32,9 +33,10 @@ import (
 	"sigs.k8s.io/yaml"
 	"sigs.k8s.io/yaml"
 
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
+// Generator implements token generation for Quay.io container registry.
 type Generator struct {
 type Generator struct {
 	httpClient *http.Client
 	httpClient *http.Client
 }
 }
@@ -49,6 +51,7 @@ const (
 	httpClientTimeout = 5 * time.Second
 	httpClientTimeout = 5 * time.Second
 )
 )
 
 
+// Generate creates an authentication token for Quay container registry.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		ctx,
 		ctx,
@@ -58,7 +61,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 
@@ -76,7 +80,7 @@ func (g *Generator) generate(
 	}
 	}
 
 
 	// Fetch the service account token
 	// Fetch the service account token
-	token, err := utils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, namespace)
+	token, err := esutils.FetchServiceAccountToken(ctx, res.Spec.ServiceAccountRef, namespace)
 	if err != nil {
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 		return nil, nil, fmt.Errorf("failed to fetch service account token: %w", err)
 	}
 	}
@@ -90,7 +94,7 @@ func (g *Generator) generate(
 	if err != nil {
 	if err != nil {
 		return nil, nil, err
 		return nil, nil, err
 	}
 	}
-	exp, err := utils.ExtractJWTExpiration(accessToken)
+	exp, err := esutils.ExtractJWTExpiration(accessToken)
 	if err != nil {
 	if err != nil {
 		return nil, nil, err
 		return nil, nil, err
 	}
 	}

+ 2 - 2
pkg/generator/register/register.go

@@ -14,11 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package register provides registration functionality for generators.
 package register
 package register
 
 
-// packages imported here are registered to the controller schema.
-
 import (
 import (
+	// Import all generators for their side effects (registration).
 	_ "github.com/external-secrets/external-secrets/pkg/generator/acr"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/acr"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/cloudsmith"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/cloudsmith"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/ecr"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/ecr"

+ 5 - 1
pkg/generator/sshkey/sshkey.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package sshkey provides functionality for generating SSH key pairs.
 package sshkey
 package sshkey
 
 
 import (
 import (
@@ -33,6 +34,7 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Generator implements SSH key pair generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -47,6 +49,7 @@ const (
 
 
 type generateFunc func(keyType string, keySize *int, comment string) (privateKey, publicKey []byte, err error)
 type generateFunc func(keyType string, keySize *int, comment string) (privateKey, publicKey []byte, err error)
 
 
+// Generate creates a new SSH key pair.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		jsonSpec,
 		jsonSpec,
@@ -54,7 +57,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after key generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 6 - 3
pkg/generator/statemanager/statemanager.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package statemanager provides functionality for managing state of generator operations.
 package statemanager
 package statemanager
 
 
 import (
 import (
@@ -31,8 +32,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 
 	genapi "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genapi "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/feature"
 	"github.com/external-secrets/external-secrets/pkg/feature"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 // Manager takes care of maintaining the state of the generators.
 // Manager takes care of maintaining the state of the generators.
@@ -49,6 +50,7 @@ type Manager struct {
 	queue []QueueItem
 	queue []QueueItem
 }
 }
 
 
+// QueueItem represents a single item in the state manager's queue.
 type QueueItem struct {
 type QueueItem struct {
 	Rollback func() error
 	Rollback func() error
 	Commit   func() error
 	Commit   func() error
@@ -64,6 +66,7 @@ func init() {
 	})
 	})
 }
 }
 
 
+// New creates a new state manager instance with the given configuration.
 func New(ctx context.Context, client client.Client, scheme *runtime.Scheme, namespace string,
 func New(ctx context.Context, client client.Client, scheme *runtime.Scheme, namespace string,
 	resource genapi.StatefulResource) *Manager {
 	resource genapi.StatefulResource) *Manager {
 	return &Manager{
 	return &Manager{
@@ -182,7 +185,7 @@ func (m *Manager) createGeneratorState(resource *apiextensions.JSON, state genap
 }
 }
 
 
 func ownerKey(resource genapi.StatefulResource, key string) string {
 func ownerKey(resource genapi.StatefulResource, key string) string {
-	return utils.ObjectHash(fmt.Sprintf("%s-%s-%s-%s",
+	return esutils.ObjectHash(fmt.Sprintf("%s-%s-%s-%s",
 		resource.GetObjectKind().GroupVersionKind().Kind,
 		resource.GetObjectKind().GroupVersionKind().Kind,
 		resource.GetNamespace(),
 		resource.GetNamespace(),
 		resource.GetName(),
 		resource.GetName(),
@@ -222,7 +225,7 @@ func (m *Manager) disposeState(key string) error {
 	return errors.Join(errs...)
 	return errors.Join(errs...)
 }
 }
 
 
-// GetLatest returns the latest state for the given key.
+// GetAllStates retrieves all the stored states for the given key.
 func (m *Manager) GetAllStates(key string) ([]genapi.GeneratorState, error) {
 func (m *Manager) GetAllStates(key string) ([]genapi.GeneratorState, error) {
 	var stateList genapi.GeneratorStateList
 	var stateList genapi.GeneratorStateList
 	if err := m.client.List(m.ctx, &stateList, &client.MatchingLabels{
 	if err := m.client.List(m.ctx, &stateList, &client.MatchingLabels{

+ 6 - 1
pkg/generator/sts/sts.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package sts implements a generator for AWS STS session tokens
 package sts
 package sts
 
 
 import (
 import (
@@ -38,8 +39,10 @@ type stsAPI interface {
 	GetSessionToken(ctx context.Context, params *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
 	GetSessionToken(ctx context.Context, params *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
 }
 }
 
 
+// Generator implements a generator for AWS STS session tokens.
 type Generator struct{}
 type Generator struct{}
 
 
+// const error messages.
 const (
 const (
 	errNoSpec     = "no config spec provided"
 	errNoSpec     = "no config spec provided"
 	errParseSpec  = "unable to parse spec: %w"
 	errParseSpec  = "unable to parse spec: %w"
@@ -47,6 +50,7 @@ const (
 	errGetToken   = "unable to get authorization token: %w"
 	errGetToken   = "unable to get authorization token: %w"
 )
 )
 
 
+// Generate creates AWS STS session tokens and returns credentials.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(ctx, jsonSpec, kube, namespace, stsFactory)
 	return g.generate(ctx, jsonSpec, kube, namespace, stsFactory)
 }
 }
@@ -105,7 +109,8 @@ func (g *Generator) generate(
 	}, nil, nil
 	}, nil, nil
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup is a no-op for STS generator as it doesn't require any cleanup.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 5 - 5
pkg/generator/sts/sts_test.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 func TestGenerate(t *testing.T) {
 func TestGenerate(t *testing.T) {
@@ -90,10 +90,10 @@ func TestGenerate(t *testing.T) {
 					t := time.Unix(1234, 0)
 					t := time.Unix(1234, 0)
 					return &sts.GetSessionTokenOutput{
 					return &sts.GetSessionTokenOutput{
 						Credentials: &ststypes.Credentials{
 						Credentials: &ststypes.Credentials{
-							AccessKeyId:     utils.Ptr("access-key-id"),
-							Expiration:      utils.Ptr(t),
-							SecretAccessKey: utils.Ptr("secret-access-key"),
-							SessionToken:    utils.Ptr("session-token"),
+							AccessKeyId:     esutils.Ptr("access-key-id"),
+							Expiration:      esutils.Ptr(t),
+							SecretAccessKey: esutils.Ptr("secret-access-key"),
+							SessionToken:    esutils.Ptr("session-token"),
 						},
 						},
 					}, nil
 					}, nil
 				},
 				},

+ 5 - 1
pkg/generator/uuid/uuid.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package uuid provides functionality for generating random UUIDs.
 package uuid
 package uuid
 
 
 import (
 import (
@@ -27,10 +28,12 @@ import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 )
 
 
+// Generator implements random UUID generation functionality.
 type Generator struct{}
 type Generator struct{}
 
 
 type generateFunc func() (string, error)
 type generateFunc func() (string, error)
 
 
+// Generate creates a random UUID.
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _ client.Client, _ string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	return g.generate(
 	return g.generate(
 		jsonSpec,
 		jsonSpec,
@@ -38,7 +41,8 @@ func (g *Generator) Generate(_ context.Context, jsonSpec *apiextensions.JSON, _
 	)
 	)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 8 - 4
pkg/generator/vault/vault.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package vaultdynamic provides functionality for generating dynamic credentials from HashiCorp Vault.
 package vaultdynamic
 package vaultdynamic
 
 
 import (
 import (
@@ -31,11 +32,12 @@ import (
 	"sigs.k8s.io/yaml"
 	"sigs.k8s.io/yaml"
 
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	provider "github.com/external-secrets/external-secrets/pkg/provider/vault"
 	provider "github.com/external-secrets/external-secrets/pkg/provider/vault"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
+// Generator implements credential generation using HashiCorp Vault's dynamic secrets.
 type Generator struct{}
 type Generator struct{}
 
 
 const (
 const (
@@ -45,6 +47,7 @@ const (
 	errGetSecret   = "unable to get dynamic secret: %w"
 	errGetSecret   = "unable to get dynamic secret: %w"
 )
 )
 
 
+// Generate creates dynamic credentials using HashiCorp Vault's secrets engines.
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	c := &provider.Provider{NewVaultClient: provider.NewVaultClient}
 	c := &provider.Provider{NewVaultClient: provider.NewVaultClient}
 
 
@@ -63,7 +66,8 @@ func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON,
 	return g.generate(ctx, c, jsonSpec, kube, clientset.CoreV1(), namespace)
 	return g.generate(ctx, c, jsonSpec, kube, clientset.CoreV1(), namespace)
 }
 }
 
 
-func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup after token generation.
+func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 
@@ -98,7 +102,7 @@ func (g *Generator) generate(ctx context.Context, c *provider.Provider, jsonSpec
 	return g.prepareResponse(spec, result)
 	return g.prepareResponse(spec, result)
 }
 }
 
 
-func (g *Generator) fetchVaultSecret(ctx context.Context, res *genv1alpha1.VaultDynamicSecret, cl util.Client) (*vault.Secret, error) {
+func (g *Generator) fetchVaultSecret(ctx context.Context, res *genv1alpha1.VaultDynamicSecret, cl vaultutil.Client) (*vault.Secret, error) {
 	var (
 	var (
 		result *vault.Secret
 		result *vault.Secret
 		err    error
 		err    error
@@ -151,7 +155,7 @@ func (g *Generator) prepareResponse(res *genv1alpha1.VaultDynamicSecret, result
 	}
 	}
 
 
 	for k := range data {
 	for k := range data {
-		response[k], err = utils.GetByteValueFromMap(data, k)
+		response[k], err = esutils.GetByteValueFromMap(data, k)
 		if err != nil {
 		if err != nil {
 			return nil, nil, err
 			return nil, nil, err
 		}
 		}

+ 1 - 1
pkg/generator/vault/vault_test.go

@@ -40,7 +40,7 @@ type args struct {
 	jsonSpec      *apiextensions.JSON
 	jsonSpec      *apiextensions.JSON
 	kube          kclient.Client
 	kube          kclient.Client
 	corev1        typedcorev1.CoreV1Interface
 	corev1        typedcorev1.CoreV1Interface
-	vaultClientFn func(config *vaultapi.Config) (util.Client, error)
+	vaultClientFn func(config *vaultapi.Config) (vaultutil.Client, error)
 }
 }
 
 
 type want struct {
 type want struct {

+ 5 - 1
pkg/generator/webhook/webhook.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package webhook provides functionality for generating secrets through webhook calls.
 package webhook
 package webhook
 
 
 import (
 import (
@@ -28,11 +29,13 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/common/webhook"
 	"github.com/external-secrets/external-secrets/pkg/common/webhook"
 )
 )
 
 
+// Webhook represents a generator that calls external webhooks to generate secrets.
 type Webhook struct {
 type Webhook struct {
 	wh  webhook.Webhook
 	wh  webhook.Webhook
 	url string
 	url string
 }
 }
 
 
+// Generate creates secrets by making webhook calls to external services.
 func (w *Webhook) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 func (w *Webhook) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kclient client.Client, ns string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	w.wh.EnforceLabels = true
 	w.wh.EnforceLabels = true
 	w.wh.ClusterScoped = false
 	w.wh.ClusterScoped = false
@@ -52,7 +55,8 @@ func (w *Webhook) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kc
 	return data, nil, err
 	return data, nil, err
 }
 }
 
 
-func (w *Webhook) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, state genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
+// Cleanup performs any necessary cleanup operations after secret generation.
+func (w *Webhook) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
 	return nil
 	return nil
 }
 }
 
 

+ 5 - 1
pkg/metrics/metrics.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
+// Package metrics provides functionality for collecting and managing metrics in the external-secrets system.
 package metrics
 package metrics
 
 
 import (
 import (
@@ -24,8 +25,10 @@ import (
 )
 )
 
 
 const (
 const (
+	// ExternalSecretSubsystem is the subsystem name used for external secret metrics.
 	ExternalSecretSubsystem = "externalsecret"
 	ExternalSecretSubsystem = "externalsecret"
-	providerAPICalls        = "provider_api_calls_count"
+
+	providerAPICalls = "provider_api_calls_count"
 )
 )
 
 
 var (
 var (
@@ -36,6 +39,7 @@ var (
 	}, []string{"provider", "call", "status"})
 	}, []string{"provider", "call", "status"})
 )
 )
 
 
+// ObserveAPICall records metrics for an API call to a provider.
 func ObserveAPICall(provider, call string, err error) {
 func ObserveAPICall(provider, call string, err error) {
 	syncCallsTotal.WithLabelValues(provider, call, deriveStatus(err)).Inc()
 	syncCallsTotal.WithLabelValues(provider, call, deriveStatus(err)).Inc()
 }
 }

+ 14 - 14
pkg/provider/akeyless/akeyless.go

@@ -42,8 +42,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/find"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 // Ctx is a type used for context keys in Akeyless provider implementations.
 // Ctx is a type used for context keys in Akeyless provider implementations.
@@ -144,12 +144,12 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 	}
 	if akeylessSpec.Auth.KubernetesAuth != nil {
 	if akeylessSpec.Auth.KubernetesAuth != nil {
 		if akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef != nil {
 		if akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef != nil {
-			if err := utils.ValidateReferentServiceAccountSelector(store, *akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef); err != nil {
+			if err := esutils.ValidateReferentServiceAccountSelector(store, *akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef); err != nil {
 				return nil, fmt.Errorf(errInvalidKubeSA, err)
 				return nil, fmt.Errorf(errInvalidKubeSA, err)
 			}
 			}
 		}
 		}
 		if akeylessSpec.Auth.KubernetesAuth.SecretRef != nil {
 		if akeylessSpec.Auth.KubernetesAuth.SecretRef != nil {
-			err := utils.ValidateSecretSelector(store, *akeylessSpec.Auth.KubernetesAuth.SecretRef)
+			err := esutils.ValidateSecretSelector(store, *akeylessSpec.Auth.KubernetesAuth.SecretRef)
 			if err != nil {
 			if err != nil {
 				return nil, err
 				return nil, err
 			}
 			}
@@ -166,7 +166,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 	}
 
 
 	accessID := akeylessSpec.Auth.SecretRef.AccessID
 	accessID := akeylessSpec.Auth.SecretRef.AccessID
-	err := utils.ValidateSecretSelector(store, accessID)
+	err := esutils.ValidateSecretSelector(store, accessID)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -180,13 +180,13 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 	}
 
 
 	accessType := akeylessSpec.Auth.SecretRef.AccessType
 	accessType := akeylessSpec.Auth.SecretRef.AccessType
-	err = utils.ValidateSecretSelector(store, accessType)
+	err = esutils.ValidateSecretSelector(store, accessType)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
 
 
 	accessTypeParam := akeylessSpec.Auth.SecretRef.AccessTypeParam
 	accessTypeParam := akeylessSpec.Auth.SecretRef.AccessTypeParam
-	err = utils.ValidateSecretSelector(store, accessTypeParam)
+	err = esutils.ValidateSecretSelector(store, accessTypeParam)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -256,7 +256,7 @@ func (a *Akeyless) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	timeout := 15 * time.Second
 	serviceURL := a.url
 	serviceURL := a.url
 
 
-	if err := utils.NetworkValidate(serviceURL, timeout); err != nil {
+	if err := esutils.NetworkValidate(serviceURL, timeout); err != nil {
 		return esv1.ValidationResultError, err
 		return esv1.ValidationResultError, err
 	}
 	}
 
 
@@ -266,7 +266,7 @@ func (a *Akeyless) Validate() (esv1.ValidationResult, error) {
 // GetSecret retrieves a secret with the secret name defined in ref.Name.
 // GetSecret retrieves a secret with the secret name defined in ref.Name.
 // Implements store.Client.GetSecret Interface.
 // Implements store.Client.GetSecret Interface.
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	ctx, err := a.contextWithToken(ctx)
 	ctx, err := a.contextWithToken(ctx)
@@ -310,7 +310,7 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRem
 // GetAllSecrets Implements store.Client.GetAllSecrets Interface.
 // GetAllSecrets Implements store.Client.GetAllSecrets Interface.
 // Retrieves all secrets with defined in ref.Name or tags.
 // Retrieves all secrets with defined in ref.Name or tags.
 func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	ctx, err := a.contextWithToken(ctx)
 	ctx, err := a.contextWithToken(ctx)
@@ -398,7 +398,7 @@ func (a *Akeyless) findSecretsFromName(ctx context.Context, searchPath string, r
 // GetSecretMap implements store.Client.GetSecretMap Interface.
 // GetSecretMap implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
 // New version of GetSecretMap.
 func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 		return nil, errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	val, err := a.GetSecret(ctx, ref)
 	val, err := a.GetSecret(ctx, ref)
@@ -422,7 +422,7 @@ func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretData
 
 
 // SecretExists checks if a secret exists in Akeyless Vault at the specified remote reference.
 // SecretExists checks if a secret exists in Akeyless Vault at the specified remote reference.
 func (a *Akeyless) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 func (a *Akeyless) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return false, errors.New(errUninitalizedAkeylessProvider)
 		return false, errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	secret, err := a.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: ref.GetRemoteKey()})
 	secret, err := a.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: ref.GetRemoteKey()})
@@ -454,7 +454,7 @@ func initMapIfNotExist(psd esv1.PushSecretData, secretMapSize int) map[string]an
 
 
 // PushSecret pushes a Kubernetes secret to Akeyless Vault using the provided data.
 // PushSecret pushes a Kubernetes secret to Akeyless Vault using the provided data.
 func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
 func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)
 		return errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	ctx, err := a.contextWithToken(ctx)
 	ctx, err := a.contextWithToken(ctx)
@@ -498,7 +498,7 @@ func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd es
 
 
 // DeleteSecret deletes a secret from Akeyless Vault at the specified remote reference.
 // DeleteSecret deletes a secret from Akeyless Vault at the specified remote reference.
 func (a *Akeyless) DeleteSecret(ctx context.Context, psr esv1.PushSecretRemoteRef) error {
 func (a *Akeyless) DeleteSecret(ctx context.Context, psr esv1.PushSecretRemoteRef) error {
-	if utils.IsNil(a.Client) {
+	if esutils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)
 		return errors.New(errUninitalizedAkeylessProvider)
 	}
 	}
 	ctx, err := a.contextWithToken(ctx)
 	ctx, err := a.contextWithToken(ctx)
@@ -544,7 +544,7 @@ func (a *akeylessBase) getAkeylessHTTPClient(ctx context.Context, provider *esv1
 		return client, nil
 		return client, nil
 	}
 	}
 
 
-	cert, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		StoreKind:  a.storeKind,
 		StoreKind:  a.storeKind,
 		Client:     a.kube,
 		Client:     a.kube,
 		Namespace:  a.namespace,
 		Namespace:  a.namespace,

+ 1 - 1
pkg/provider/akeyless/akeyless_api.go

@@ -38,8 +38,8 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 var (
 var (

+ 1 - 1
pkg/provider/akeyless/auth.go

@@ -21,7 +21,7 @@ import (
 	"errors"
 	"errors"
 	"fmt"
 	"fmt"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
 const (
 const (

+ 21 - 21
pkg/provider/alibaba/client.go

@@ -34,7 +34,7 @@ import (
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/hashicorp/go-retryablehttp"
 
 
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 const (
 const (
@@ -70,7 +70,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 		return nil, fmt.Errorf("failed to get KMS endpoint: %w", err)
 		return nil, fmt.Errorf("failed to get KMS endpoint: %w", err)
 	}
 	}
 
 
-	if utils.Deref(endpoint) == "" {
+	if esutils.Deref(endpoint) == "" {
 		return nil, errors.New("error KMS endpoint is missing")
 		return nil, errors.New("error KMS endpoint is missing")
 	}
 	}
 
 
@@ -85,9 +85,9 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 	}
 	}
 
 
 	const defaultRetryAttempts = 3
 	const defaultRetryAttempts = 3
-	if utils.Deref(options.Autoretry) {
+	if esutils.Deref(options.Autoretry) {
 		if options.MaxAttempts != nil {
 		if options.MaxAttempts != nil {
-			retryClient.RetryMax = utils.Deref(options.MaxAttempts)
+			retryClient.RetryMax = esutils.Deref(options.MaxAttempts)
 		} else {
 		} else {
 			retryClient.RetryMax = defaultRetryAttempts
 			retryClient.RetryMax = defaultRetryAttempts
 		}
 		}
@@ -96,7 +96,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 	return &secretsManagerClient{
 	return &secretsManagerClient{
 		config:   config,
 		config:   config,
 		options:  options,
 		options:  options,
-		endpoint: utils.Deref(endpoint),
+		endpoint: esutils.Deref(endpoint),
 		client:   retryClient.StandardClient(),
 		client:   retryClient.StandardClient(),
 	}, nil
 	}, nil
 }
 }
@@ -111,10 +111,10 @@ func (s *secretsManagerClient) GetSecretValue(
 ) (*kms.GetSecretValueResponseBody, error) {
 ) (*kms.GetSecretValueResponseBody, error) {
 	resp, err := s.doAPICall(ctx, "GetSecretValue", request)
 	resp, err := s.doAPICall(ctx, "GetSecretValue", request)
 	if err != nil {
 	if err != nil {
-		return nil, fmt.Errorf("error getting secret [%s] latest value: %w", utils.Deref(request.SecretName), err)
+		return nil, fmt.Errorf("error getting secret [%s] latest value: %w", esutils.Deref(request.SecretName), err)
 	}
 	}
 
 
-	body, err := utils.ConvertToType[kms.GetSecretValueResponseBody](resp)
+	body, err := esutils.ConvertToType[kms.GetSecretValueResponseBody](resp)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("error converting body: %w", err)
 		return nil, fmt.Errorf("error converting body: %w", err)
 	}
 	}
@@ -133,11 +133,11 @@ func (s *secretsManagerClient) doAPICall(ctx context.Context,
 	apiRequest := newOpenAPIRequest(s.endpoint, action, methodTypeGET, request)
 	apiRequest := newOpenAPIRequest(s.endpoint, action, methodTypeGET, request)
 	apiRequest.query["AccessKeyId"] = creds.AccessKeyId
 	apiRequest.query["AccessKeyId"] = creds.AccessKeyId
 
 
-	if utils.Deref(creds.SecurityToken) != "" {
+	if esutils.Deref(creds.SecurityToken) != "" {
 		apiRequest.query["SecurityToken"] = creds.SecurityToken
 		apiRequest.query["SecurityToken"] = creds.SecurityToken
 	}
 	}
 
 
-	apiRequest.query["Signature"] = openapiutil.GetRPCSignature(apiRequest.query, utils.Ptr(apiRequest.method.String()), creds.AccessKeySecret)
+	apiRequest.query["Signature"] = openapiutil.GetRPCSignature(apiRequest.query, esutils.Ptr(apiRequest.method.String()), creds.AccessKeySecret)
 
 
 	httpReq, err := newHTTPRequestWithContext(ctx, apiRequest)
 	httpReq, err := newHTTPRequestWithContext(ctx, apiRequest)
 	if err != nil {
 	if err != nil {
@@ -156,8 +156,8 @@ func (s *secretsManagerClient) doAPICall(ctx context.Context,
 }
 }
 
 
 func (s *secretsManagerClient) parseResponse(resp *http.Response) (map[string]any, error) {
 func (s *secretsManagerClient) parseResponse(resp *http.Response) (map[string]any, error) {
-	statusCode := utils.Ptr(resp.StatusCode)
-	if utils.Deref(util.Is4xx(statusCode)) || utils.Deref(util.Is5xx(statusCode)) {
+	statusCode := esutils.Ptr(resp.StatusCode)
+	if esutils.Deref(util.Is4xx(statusCode)) || esutils.Deref(util.Is5xx(statusCode)) {
 		return nil, s.parseErrorResponse(resp)
 		return nil, s.parseErrorResponse(resp)
 	}
 	}
 
 
@@ -185,7 +185,7 @@ func (s *secretsManagerClient) parseErrorResponse(resp *http.Response) error {
 		return err
 		return err
 	}
 	}
 
 
-	errorMap["statusCode"] = utils.Ptr(resp.StatusCode)
+	errorMap["statusCode"] = esutils.Ptr(resp.StatusCode)
 	err = tea.NewSDKError(map[string]any{
 	err = tea.NewSDKError(map[string]any{
 		"code":               tea.ToString(defaultAny(errorMap["Code"], errorMap["code"])),
 		"code":               tea.ToString(defaultAny(errorMap["Code"], errorMap["code"])),
 		"message":            fmt.Sprintf("code: %s, %s", tea.ToString(resp.StatusCode), tea.ToString(defaultAny(errorMap["Message"], errorMap["message"]))),
 		"message":            fmt.Sprintf("code: %s, %s", tea.ToString(resp.StatusCode), tea.ToString(defaultAny(errorMap["Message"], errorMap["message"]))),
@@ -223,18 +223,18 @@ func newOpenAPIRequest(endpoint string,
 		method:   method,
 		method:   method,
 		headers: map[string]*string{
 		headers: map[string]*string{
 			"host":          &endpoint,
 			"host":          &endpoint,
-			"x-acs-version": utils.Ptr(kmsAPIVersion),
+			"x-acs-version": esutils.Ptr(kmsAPIVersion),
 			"x-acs-action":  &action,
 			"x-acs-action":  &action,
-			"user-agent":    utils.Ptr(fmt.Sprintf("AlibabaCloud (%s; %s) Golang/%s Core/%s TeaDSL/1", runtime.GOOS, runtime.GOARCH, strings.Trim(runtime.Version(), "go"), "0.01")),
+			"user-agent":    esutils.Ptr(fmt.Sprintf("AlibabaCloud (%s; %s) Golang/%s Core/%s TeaDSL/1", runtime.GOOS, runtime.GOARCH, strings.Trim(runtime.Version(), "go"), "0.01")),
 		},
 		},
 		query: map[string]*string{
 		query: map[string]*string{
 			"Action":           &action,
 			"Action":           &action,
-			"Format":           utils.Ptr("json"),
-			"Version":          utils.Ptr(kmsAPIVersion),
+			"Format":           esutils.Ptr("json"),
+			"Version":          esutils.Ptr(kmsAPIVersion),
 			"Timestamp":        openapiutil.GetTimestamp(),
 			"Timestamp":        openapiutil.GetTimestamp(),
 			"SignatureNonce":   util.GetNonce(),
 			"SignatureNonce":   util.GetNonce(),
-			"SignatureMethod":  utils.Ptr("HMAC-SHA1"),
-			"SignatureVersion": utils.Ptr("1.0"),
+			"SignatureMethod":  esutils.Ptr("HMAC-SHA1"),
+			"SignatureVersion": esutils.Ptr("1.0"),
 		},
 		},
 	}
 	}
 
 
@@ -246,7 +246,7 @@ func newHTTPRequestWithContext(ctx context.Context,
 	req *openAPIRequest) (*http.Request, error) {
 	req *openAPIRequest) (*http.Request, error) {
 	query := url.Values{}
 	query := url.Values{}
 	for k, v := range req.query {
 	for k, v := range req.query {
-		query.Add(k, utils.Deref(v))
+		query.Add(k, esutils.Deref(v))
 	}
 	}
 
 
 	httpReq, err := http.NewRequestWithContext(ctx, req.method.String(), fmt.Sprintf("https://%s/?%s", url.PathEscape(req.endpoint), query.Encode()), http.NoBody)
 	httpReq, err := http.NewRequestWithContext(ctx, req.method.String(), fmt.Sprintf("https://%s/?%s", url.PathEscape(req.endpoint), query.Encode()), http.NoBody)
@@ -255,14 +255,14 @@ func newHTTPRequestWithContext(ctx context.Context,
 	}
 	}
 
 
 	for k, v := range req.headers {
 	for k, v := range req.headers {
-		httpReq.Header.Add(k, utils.Deref(v))
+		httpReq.Header.Add(k, esutils.Deref(v))
 	}
 	}
 
 
 	return httpReq, nil
 	return httpReq, nil
 }
 }
 
 
 func defaultAny(inputValue, defaultValue any) any {
 func defaultAny(inputValue, defaultValue any) any {
-	if utils.Deref(util.IsUnset(inputValue)) {
+	if esutils.Deref(util.IsUnset(inputValue)) {
 		return defaultValue
 		return defaultValue
 	}
 	}
 
 

+ 20 - 20
pkg/provider/alibaba/kms.go

@@ -33,8 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
 const (
 const (
@@ -84,7 +84,7 @@ func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1.Externa
 
 
 // GetSecret returns a single secret from the provider.
 // GetSecret returns a single secret from the provider.
 func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(kms.Client) {
+	if esutils.IsNil(kms.Client) {
 		return nil, errors.New(errUninitalizedAlibabaProvider)
 		return nil, errors.New(errUninitalizedAlibabaProvider)
 	}
 	}
 
 
@@ -101,14 +101,14 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1.Externa
 		return nil, SanitizeErr(err)
 		return nil, SanitizeErr(err)
 	}
 	}
 	if ref.Property == "" {
 	if ref.Property == "" {
-		if utils.Deref(secretOut.SecretData) != "" {
-			return []byte(utils.Deref(secretOut.SecretData)), nil
+		if esutils.Deref(secretOut.SecretData) != "" {
+			return []byte(esutils.Deref(secretOut.SecretData)), nil
 		}
 		}
 		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
 	}
 	}
 	var payload string
 	var payload string
-	if utils.Deref(secretOut.SecretData) != "" {
-		payload = utils.Deref(secretOut.SecretData)
+	if esutils.Deref(secretOut.SecretData) != "" {
+		payload = esutils.Deref(secretOut.SecretData)
 	}
 	}
 	val := gjson.Get(payload, ref.Property)
 	val := gjson.Get(payload, ref.Property)
 	if !val.Exists() {
 	if !val.Exists() {
@@ -151,7 +151,7 @@ func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1.Gener
 	}
 	}
 
 
 	config := &openapi.Config{
 	config := &openapi.Config{
-		RegionId:   utils.Ptr(alibabaSpec.RegionID),
+		RegionId:   esutils.Ptr(alibabaSpec.RegionID),
 		Credential: credentials,
 		Credential: credentials,
 	}
 	}
 
 
@@ -180,8 +180,8 @@ func newOptions(store esv1.GenericStore) *util.RuntimeOptions {
 			retryAmount = 3
 			retryAmount = 3
 		}
 		}
 
 
-		options.Autoretry = utils.Ptr(true)
-		options.MaxAttempts = utils.Ptr(retryAmount)
+		options.Autoretry = esutils.Ptr(true)
+		options.MaxAttempts = esutils.Ptr(retryAmount)
 	}
 	}
 
 
 	return options
 	return options
@@ -220,9 +220,9 @@ func newRRSAAuth(store esv1.GenericStore) (credential.Credential, error) {
 		OIDCTokenFilePath: &alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath,
 		OIDCTokenFilePath: &alibabaSpec.Auth.RRSAAuth.OIDCTokenFilePath,
 		RoleArn:           &alibabaSpec.Auth.RRSAAuth.RoleARN,
 		RoleArn:           &alibabaSpec.Auth.RRSAAuth.RoleARN,
 		RoleSessionName:   &alibabaSpec.Auth.RRSAAuth.SessionName,
 		RoleSessionName:   &alibabaSpec.Auth.RRSAAuth.SessionName,
-		Type:              utils.Ptr("oidc_role_arn"),
-		ConnectTimeout:    utils.Ptr(30 * 1000),
-		Timeout:           utils.Ptr(60 * 1000),
+		Type:              esutils.Ptr("oidc_role_arn"),
+		ConnectTimeout:    esutils.Ptr(30 * 1000),
+		Timeout:           esutils.Ptr(60 * 1000),
 	}
 	}
 
 
 	return credential.NewCredential(credentialConfig)
 	return credential.NewCredential(credentialConfig)
@@ -241,11 +241,11 @@ func newAccessKeyAuth(ctx context.Context, kube kclient.Client, store esv1.Gener
 		return nil, fmt.Errorf(errFetchAccessKeySecret, err)
 		return nil, fmt.Errorf(errFetchAccessKeySecret, err)
 	}
 	}
 	credentialConfig := &credential.Config{
 	credentialConfig := &credential.Config{
-		AccessKeyId:     utils.Ptr(accessKeyID),
-		AccessKeySecret: utils.Ptr(accessKeySecret),
-		Type:            utils.Ptr("access_key"),
-		ConnectTimeout:  utils.Ptr(30),
-		Timeout:         utils.Ptr(60),
+		AccessKeyId:     esutils.Ptr(accessKeyID),
+		AccessKeySecret: esutils.Ptr(accessKeySecret),
+		Type:            esutils.Ptr("access_key"),
+		ConnectTimeout:  esutils.Ptr(30),
+		Timeout:         esutils.Ptr(60),
 	}
 	}
 
 
 	return credential.NewCredential(credentialConfig)
 	return credential.NewCredential(credentialConfig)
@@ -331,7 +331,7 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1.GenericSt
 	alibabaSpec := storeSpec.Provider.Alibaba
 	alibabaSpec := storeSpec.Provider.Alibaba
 
 
 	accessKeyID := alibabaSpec.Auth.SecretRef.AccessKeyID
 	accessKeyID := alibabaSpec.Auth.SecretRef.AccessKeyID
-	err := utils.ValidateSecretSelector(store, accessKeyID)
+	err := esutils.ValidateSecretSelector(store, accessKeyID)
 	if err != nil {
 	if err != nil {
 		return err
 		return err
 	}
 	}
@@ -345,7 +345,7 @@ func (kms *KeyManagementService) validateStoreAccessKeyAuth(store esv1.GenericSt
 	}
 	}
 
 
 	accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
 	accessKeySecret := alibabaSpec.Auth.SecretRef.AccessKeySecret
-	err = utils.ValidateSecretSelector(store, accessKeySecret)
+	err = esutils.ValidateSecretSelector(store, accessKeySecret)
 	if err != nil {
 	if err != nil {
 		return err
 		return err
 	}
 	}

+ 11 - 11
pkg/provider/alibaba/kms_test.go

@@ -27,8 +27,8 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 const (
 const (
@@ -71,14 +71,14 @@ func makeValidRef() *esv1.ExternalSecretDataRemoteRef {
 
 
 func makeValidAPIInput() *kmssdk.GetSecretValueRequest {
 func makeValidAPIInput() *kmssdk.GetSecretValueRequest {
 	return &kmssdk.GetSecretValueRequest{
 	return &kmssdk.GetSecretValueRequest{
-		SecretName: utils.Ptr(secretName),
+		SecretName: esutils.Ptr(secretName),
 	}
 	}
 }
 }
 
 
 func makeValidAPIOutput() *kmssdk.GetSecretValueResponseBody {
 func makeValidAPIOutput() *kmssdk.GetSecretValueResponseBody {
 	response := &kmssdk.GetSecretValueResponseBody{
 	response := &kmssdk.GetSecretValueResponseBody{
-		SecretName:    utils.Ptr(secretName),
-		SecretData:    utils.Ptr(secretValue),
+		SecretName:    esutils.Ptr(secretName),
+		SecretData:    esutils.Ptr(secretValue),
 		VersionStages: &kmssdk.GetSecretValueResponseBodyVersionStages{},
 		VersionStages: &kmssdk.GetSecretValueResponseBodyVersionStages{},
 	}
 	}
 	return response
 	return response
@@ -111,16 +111,16 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 	// good case: default version is set
 	// good case: default version is set
 	// key is passed in, output is sent back
 	// key is passed in, output is sent back
 	setSecretString := func(kmstc *keyManagementServiceTestCase) {
 	setSecretString := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr(secretName)
-		kmstc.apiOutput.SecretData = utils.Ptr(secretValue)
+		kmstc.apiOutput.SecretName = esutils.Ptr(secretName)
+		kmstc.apiOutput.SecretData = esutils.Ptr(secretValue)
 		kmstc.expectedSecret = secretValue
 		kmstc.expectedSecret = secretValue
 	}
 	}
 
 
 	// good case: custom version set
 	// good case: custom version set
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
 	setCustomKey := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr("test-example-other")
+		kmstc.apiOutput.SecretName = esutils.Ptr("test-example-other")
 		kmstc.ref.Key = "test-example-other"
 		kmstc.ref.Key = "test-example-other"
-		kmstc.apiOutput.SecretData = utils.Ptr(secretValue)
+		kmstc.apiOutput.SecretData = esutils.Ptr(secretValue)
 		kmstc.expectedSecret = secretValue
 		kmstc.expectedSecret = secretValue
 	}
 	}
 
 
@@ -147,14 +147,14 @@ func TestAlibabaKMSGetSecret(t *testing.T) {
 func TestGetSecretMap(t *testing.T) {
 func TestGetSecretMap(t *testing.T) {
 	// good case: default version & deserialization
 	// good case: default version & deserialization
 	setDeserialization := func(kmstc *keyManagementServiceTestCase) {
 	setDeserialization := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretName = utils.Ptr("foo")
+		kmstc.apiOutput.SecretName = esutils.Ptr("foo")
 		kmstc.expectedData["foo"] = []byte("bar")
 		kmstc.expectedData["foo"] = []byte("bar")
-		kmstc.apiOutput.SecretData = utils.Ptr(`{"foo":"bar"}`)
+		kmstc.apiOutput.SecretData = esutils.Ptr(`{"foo":"bar"}`)
 	}
 	}
 
 
 	// bad case: invalid json
 	// bad case: invalid json
 	setInvalidJSON := func(kmstc *keyManagementServiceTestCase) {
 	setInvalidJSON := func(kmstc *keyManagementServiceTestCase) {
-		kmstc.apiOutput.SecretData = utils.Ptr("-----------------")
+		kmstc.apiOutput.SecretData = esutils.Ptr("-----------------")
 		kmstc.expectError = "unable to unmarshal secret"
 		kmstc.expectError = "unable to unmarshal secret"
 	}
 	}
 
 

+ 2 - 2
pkg/provider/aws/auth/auth.go

@@ -37,9 +37,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/feature"
 	"github.com/external-secrets/external-secrets/pkg/feature"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 )
 
 
@@ -88,7 +88,7 @@ type Opts struct {
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
 func New(ctx context.Context, opts Opts) (*aws.Config, error) {
 func New(ctx context.Context, opts Opts) (*aws.Config, error) {
-	prov, err := util.GetAWSProvider(opts.Store)
+	prov, err := awsutil.GetAWSProvider(opts.Store)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}

+ 11 - 9
pkg/provider/aws/parameterstore/parameterstore.go

@@ -36,11 +36,11 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 )
 
 
 // Tier defines policy details for PushSecret.
 // Tier defines policy details for PushSecret.
@@ -270,10 +270,10 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 func (pm *ParameterStore) encodeSecretData(encodeAsDecoded bool, data map[string][]byte) ([]byte, error) {
 func (pm *ParameterStore) encodeSecretData(encodeAsDecoded bool, data map[string][]byte) ([]byte, error) {
 	if encodeAsDecoded {
 	if encodeAsDecoded {
 		// This will result in map byte slices not being base64 encoded by json.Marshal.
 		// This will result in map byte slices not being base64 encoded by json.Marshal.
-		return utils.JSONMarshal(convertMap(data))
+		return esutils.JSONMarshal(convertMap(data))
 	}
 	}
 
 
-	return utils.JSONMarshal(data)
+	return esutils.JSONMarshal(data)
 }
 }
 
 
 func convertMap(in map[string][]byte) map[string]string {
 func convertMap(in map[string][]byte) map[string]string {
@@ -311,7 +311,7 @@ func (pm *ParameterStore) setExisting(ctx context.Context, existing *ssm.GetPara
 		return err
 		return err
 	}
 	}
 
 
-	tagKeysToRemove := util.FindTagKeysToRemove(tags, metaTags)
+	tagKeysToRemove := awsutil.FindTagKeysToRemove(tags, metaTags)
 	if len(tagKeysToRemove) > 0 {
 	if len(tagKeysToRemove) > 0 {
 		_, err = pm.client.RemoveTagsFromResource(ctx, &ssm.RemoveTagsFromResourceInput{
 		_, err = pm.client.RemoveTagsFromResource(ctx, &ssm.RemoveTagsFromResourceInput{
 			ResourceId:   existing.Parameter.Name,
 			ResourceId:   existing.Parameter.Name,
@@ -516,7 +516,7 @@ func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byt
 	})
 	})
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
 	if err != nil {
 	if err != nil {
-		return util.SanitizeErr(err)
+		return awsutil.SanitizeErr(err)
 	}
 	}
 
 
 	data[name] = []byte(*out.Parameter.Value)
 	data[name] = []byte(*out.Parameter.Value)
@@ -539,7 +539,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 		return nil, esv1.NoSecretErr
 		return nil, esv1.NoSecretErr
 	}
 	}
 	if err != nil {
 	if err != nil {
-		return nil, util.SanitizeErr(err)
+		return nil, awsutil.SanitizeErr(err)
 	}
 	}
 	if ref.Property == "" {
 	if ref.Property == "" {
 		if out.Parameter.Value != nil {
 		if out.Parameter.Value != nil {
@@ -572,13 +572,15 @@ func (pm *ParameterStore) getParameterTags(ctx context.Context, ref esv1.Externa
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
-	json, err := util.ParameterTagsToJSONString(tags)
+
+	jsonStr, err := awsutil.ParameterTagsToJSONString(tags)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
+
 	out := &ssm.GetParameterOutput{
 	out := &ssm.GetParameterOutput{
 		Parameter: &ssmTypes.Parameter{
 		Parameter: &ssmTypes.Parameter{
-			Value: &json,
+			Value: &jsonStr,
 		},
 		},
 	}
 	}
 	return out, nil
 	return out, nil

+ 2 - 2
pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -25,7 +25,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
 	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/require"
@@ -865,7 +865,7 @@ func TestGetSecret(t *testing.T) {
 			TagList: getTagSlice(),
 			TagList: getTagSlice(),
 		}
 		}
 		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
 		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
-		pstc.expectedSecret, _ = util.ParameterTagsToJSONString(normaliseTags(getTagSlice()))
+		pstc.expectedSecret, _ = awsutil.ParameterTagsToJSONString(normaliseTags(getTagSlice()))
 	}
 	}
 
 
 	// good case: metadata property returned
 	// good case: metadata property returned

+ 9 - 9
pkg/provider/aws/provider.go

@@ -32,11 +32,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 // https://github.com/external-secrets/external-secrets/issues/644
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -65,7 +65,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 
 
 // ValidateStore validates the configuration of the AWS SecretStore.
 // ValidateStore validates the configuration of the AWS SecretStore.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
-	prov, err := util.GetAWSProvider(store)
+	prov, err := awsutil.GetAWSProvider(store)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -80,14 +80,14 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 
 	// case: static credentials
 	// case: static credentials
 	if prov.Auth.SecretRef != nil {
 	if prov.Auth.SecretRef != nil {
-		if err := utils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.AccessKeyID); err != nil {
+		if err := esutils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.AccessKeyID); err != nil {
 			return nil, fmt.Errorf("invalid Auth.SecretRef.AccessKeyID: %w", err)
 			return nil, fmt.Errorf("invalid Auth.SecretRef.AccessKeyID: %w", err)
 		}
 		}
-		if err := utils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.SecretAccessKey); err != nil {
+		if err := esutils.ValidateReferentSecretSelector(store, prov.Auth.SecretRef.SecretAccessKey); err != nil {
 			return nil, fmt.Errorf("invalid Auth.SecretRef.SecretAccessKey: %w", err)
 			return nil, fmt.Errorf("invalid Auth.SecretRef.SecretAccessKey: %w", err)
 		}
 		}
 		if prov.Auth.SecretRef.SessionToken != nil {
 		if prov.Auth.SecretRef.SessionToken != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *prov.Auth.SecretRef.SessionToken); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *prov.Auth.SecretRef.SessionToken); err != nil {
 				return nil, fmt.Errorf("invalid Auth.SecretRef.SessionToken: %w", err)
 				return nil, fmt.Errorf("invalid Auth.SecretRef.SessionToken: %w", err)
 			}
 			}
 		}
 		}
@@ -95,7 +95,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 
 	// case: jwt credentials
 	// case: jwt credentials
 	if prov.Auth.JWTAuth != nil && prov.Auth.JWTAuth.ServiceAccountRef != nil {
 	if prov.Auth.JWTAuth != nil && prov.Auth.JWTAuth.ServiceAccountRef != nil {
-		if err := utils.ValidateReferentServiceAccountSelector(store, *prov.Auth.JWTAuth.ServiceAccountRef); err != nil {
+		if err := esutils.ValidateReferentServiceAccountSelector(store, *prov.Auth.JWTAuth.ServiceAccountRef); err != nil {
 			return nil, fmt.Errorf("invalid Auth.JWT.ServiceAccountRef: %w", err)
 			return nil, fmt.Errorf("invalid Auth.JWT.ServiceAccountRef: %w", err)
 		}
 		}
 	}
 	}
@@ -131,14 +131,14 @@ func validateSecretsManagerConfig(prov *esv1.AWSProvider) error {
 	if prov.SecretsManager == nil {
 	if prov.SecretsManager == nil {
 		return nil
 		return nil
 	}
 	}
-	return util.ValidateDeleteSecretInput(awssm.DeleteSecretInput{
+	return awsutil.ValidateDeleteSecretInput(awssm.DeleteSecretInput{
 		ForceDeleteWithoutRecovery: &prov.SecretsManager.ForceDeleteWithoutRecovery,
 		ForceDeleteWithoutRecovery: &prov.SecretsManager.ForceDeleteWithoutRecovery,
 		RecoveryWindowInDays:       &prov.SecretsManager.RecoveryWindowInDays,
 		RecoveryWindowInDays:       &prov.SecretsManager.RecoveryWindowInDays,
 	})
 	})
 }
 }
 
 
 func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (esv1.SecretsClient, error) {
 func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (esv1.SecretsClient, error) {
-	prov, err := util.GetAWSProvider(store)
+	prov, err := awsutil.GetAWSProvider(store)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
@@ -150,7 +150,7 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 
 
 	// allow SecretStore controller validation to pass
 	// allow SecretStore controller validation to pass
 	// when using referent namespace.
 	// when using referent namespace.
-	if util.IsReferentSpec(prov.Auth) && namespace == "" &&
+	if awsutil.IsReferentSpec(prov.Auth) && namespace == "" &&
 		store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind {
 		store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind {
 		cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("eu-west-1"))
 		cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("eu-west-1"))
 		if err != nil {
 		if err != nil {

+ 10 - 10
pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -29,7 +29,7 @@ import (
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/smithy-go"
 	"github.com/aws/smithy-go"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/uuid"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 	"github.com/tidwall/sjson"
@@ -40,10 +40,10 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/find"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 // PushSecretMetadataSpec contains metadata information for pushing secrets to AWS Secret Manager.
 // PushSecretMetadataSpec contains metadata information for pushing secrets to AWS Secret Manager.
@@ -180,7 +180,7 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	if sm.config != nil && sm.config.RecoveryWindowInDays > 0 {
 	if sm.config != nil && sm.config.RecoveryWindowInDays > 0 {
 		deleteInput.RecoveryWindowInDays = &sm.config.RecoveryWindowInDays
 		deleteInput.RecoveryWindowInDays = &sm.config.RecoveryWindowInDays
 	}
 	}
-	err = util.ValidateDeleteSecretInput(*deleteInput)
+	err = awsutil.ValidateDeleteSecretInput(*deleteInput)
 	if err != nil {
 	if err != nil {
 		return err
 		return err
 	}
 	}
@@ -215,7 +215,7 @@ func (sm *SecretsManager) handleSecretError(err error) (bool, error) {
 
 
 // PushSecret pushes a secret to AWS Secrets Manager.
 // PushSecret pushes a secret to AWS Secrets Manager.
 func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
 func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
-	value, err := utils.ExtractSecretData(psd, secret)
+	value, err := esutils.ExtractSecretData(psd, secret)
 	if err != nil {
 	if err != nil {
 		return fmt.Errorf("failed to extract secret data: %w", err)
 		return fmt.Errorf("failed to extract secret data: %w", err)
 	}
 	}
@@ -404,7 +404,7 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 		return nil, err
 		return nil, err
 	}
 	}
 	if err != nil {
 	if err != nil {
-		return nil, util.SanitizeErr(err)
+		return nil, awsutil.SanitizeErr(err)
 	}
 	}
 	if ref.Property == "" {
 	if ref.Property == "" {
 		if secretOut.SecretString != nil {
 		if secretOut.SecretString != nil {
@@ -497,7 +497,7 @@ func (sm *SecretsManager) Validate() (esv1.ValidationResult, error) {
 	}
 	}
 	_, err := sm.cfg.Credentials.Retrieve(context.Background())
 	_, err := sm.cfg.Credentials.Retrieve(context.Background())
 	if err != nil {
 	if err != nil {
-		return esv1.ValidationResultError, util.SanitizeErr(err)
+		return esv1.ValidationResultError, awsutil.SanitizeErr(err)
 	}
 	}
 
 
 	return esv1.ValidationResultReady, nil
 	return esv1.ValidationResultReady, nil
@@ -543,7 +543,7 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 }
 }
 
 
 func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretArn string, awsSecret *awssm.GetSecretValueOutput, psd esv1.PushSecretData, value []byte, tags []types.Tag) error {
 func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretArn string, awsSecret *awssm.GetSecretValueOutput, psd esv1.PushSecretData, value []byte, tags []types.Tag) error {
-	if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || utils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
+	if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || esutils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
 		return nil
 		return nil
 	}
 	}
 
 
@@ -560,7 +560,7 @@ func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretA
 		SecretBinary:       value,
 		SecretBinary:       value,
 		ClientRequestToken: aws.String(newVersionNumber),
 		ClientRequestToken: aws.String(newVersionNumber),
 	}
 	}
-	secretPushFormat, err := utils.FetchValueFromMetadata(SecretPushFormatKey, psd.GetMetadata(), SecretPushFormatBinary)
+	secretPushFormat, err := esutils.FetchValueFromMetadata(SecretPushFormatKey, psd.GetMetadata(), SecretPushFormatBinary)
 	if err != nil {
 	if err != nil {
 		return fmt.Errorf("failed to parse metadata: %w", err)
 		return fmt.Errorf("failed to parse metadata: %w", err)
 	}
 	}
@@ -588,7 +588,7 @@ func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensions
 		return err
 		return err
 	}
 	}
 
 
-	tagKeysToRemove := util.FindTagKeysToRemove(tags, meta.Spec.Tags)
+	tagKeysToRemove := awsutil.FindTagKeysToRemove(tags, meta.Spec.Tags)
 	if len(tagKeysToRemove) > 0 {
 	if len(tagKeysToRemove) > 0 {
 		_, err = sm.client.UntagResource(ctx, &awssm.UntagResourceInput{
 		_, err = sm.client.UntagResource(ctx, &awssm.UntagResourceInput{
 			SecretId: secretID,
 			SecretId: secretID,
@@ -666,7 +666,7 @@ func (sm *SecretsManager) constructSecretValue(ctx context.Context, key, ver str
 		}
 		}
 		log.Info("found metadata secret", "key", key, "output", descOutput)
 		log.Info("found metadata secret", "key", key, "output", descOutput)
 
 
-		jsonTags, err := util.SecretTagsToJSONString(descOutput.Tags)
+		jsonTags, err := awsutil.SecretTagsToJSONString(descOutput.Tags)
 		if err != nil {
 		if err != nil {
 			return nil, err
 			return nil, err
 		}
 		}

+ 4 - 4
pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -30,7 +30,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/require"
@@ -225,7 +225,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 			Tags: getTagSlice(),
 			Tags: getTagSlice(),
 		}
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectedSecret = jsonTags
 		smtc.expectedSecret = jsonTags
 	}
 	}
@@ -237,7 +237,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		}
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = tagname2
 		smtc.remoteRef.Property = tagname2
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectedSecret = tagvalue2
 		smtc.expectedSecret = tagvalue2
 	}
 	}
@@ -249,7 +249,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		}
 		}
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = "fail"
 		smtc.remoteRef.Property = "fail"
-		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
+		jsonTags, _ := awsutil.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectError = "key fail does not exist in secret /baz"
 		smtc.expectError = "key fail does not exist in secret /baz"
 	}
 	}

+ 2 - 2
pkg/provider/aws/util/errors.go

@@ -14,8 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-// Package util provides utility functions for AWS providers in External Secrets Operator
-package util
+// Package awsutil provides utility functions for AWS providers in External Secrets Operator
+package awsutil
 
 
 import (
 import (
 	"errors"
 	"errors"

+ 1 - 1
pkg/provider/aws/util/errors_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package util
+package awsutil
 
 
 import (
 import (
 	"errors"
 	"errors"

+ 1 - 1
pkg/provider/aws/util/provider.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package util
+package awsutil
 
 
 import (
 import (
 	"encoding/json"
 	"encoding/json"

+ 1 - 1
pkg/provider/aws/util/provider_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package util
+package awsutil
 
 
 import (
 import (
 	"encoding/json"
 	"encoding/json"

+ 2 - 1
pkg/provider/aws/util/validation.go

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-package util
+// Package awsutil provides utility functions for AWS provider integration
+package awsutil
 
 
 import (
 import (
 	"fmt"
 	"fmt"

+ 7 - 7
pkg/provider/azure/keyvault/keyvault.go

@@ -61,10 +61,10 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 const (
 const (
@@ -319,18 +319,18 @@ func (a *Azure) ValidateStore(store esv1.GenericStore) (admission.Warnings, erro
 	}
 	}
 	if p.AuthSecretRef != nil {
 	if p.AuthSecretRef != nil {
 		if p.AuthSecretRef.ClientID != nil {
 		if p.AuthSecretRef.ClientID != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
 				return nil, fmt.Errorf(errInvalidSecRefClientID, err)
 				return nil, fmt.Errorf(errInvalidSecRefClientID, err)
 			}
 			}
 		}
 		}
 		if p.AuthSecretRef.ClientSecret != nil {
 		if p.AuthSecretRef.ClientSecret != nil {
-			if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
+			if err := esutils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
 				return nil, fmt.Errorf(errInvalidSecRefClientSecret, err)
 				return nil, fmt.Errorf(errInvalidSecRefClientSecret, err)
 			}
 			}
 		}
 		}
 	}
 	}
 	if p.ServiceAccountRef != nil {
 	if p.ServiceAccountRef != nil {
-		if err := utils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
+		if err := esutils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
 			return nil, fmt.Errorf(errInvalidSARef, err)
 			return nil, fmt.Errorf(errInvalidSARef, err)
 		}
 		}
 	}
 	}
@@ -710,7 +710,7 @@ func getSecretKey(secret *corev1.Secret, data esv1.PushSecretData) ([]byte, erro
 	for k, v := range secret.Data {
 	for k, v := range secret.Data {
 		secretStringVal[k] = string(v)
 		secretStringVal[k] = string(v)
 	}
 	}
-	value, err := utils.JSONMarshal(secretStringVal)
+	value, err := esutils.JSONMarshal(secretStringVal)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("failed to serialize secret content as JSON: %w", err)
 		return nil, fmt.Errorf("failed to serialize secret content as JSON: %w", err)
 	}
 	}

+ 1 - 1
pkg/provider/azure/keyvault/keyvault_new_sdk.go

@@ -39,8 +39,8 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
 	"github.com/external-secrets/external-secrets/pkg/constants"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 // New SDK implementations for setter methods.
 // New SDK implementations for setter methods.

+ 9 - 9
pkg/provider/azure/keyvault/keyvault_test.go

@@ -36,10 +36,10 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/metadata"
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
 	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
 	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 )
 
 
 type secretManagerTestCase struct {
 type secretManagerTestCase struct {
@@ -379,7 +379,7 @@ func TestAzureKeyVaultDeleteSecret(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
 		err := sm.DeleteSecret(context.Background(), v.pushData)
 		err := sm.DeleteSecret(context.Background(), v.pushData)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			if err == nil {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 			} else {
 			} else {
@@ -956,7 +956,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 			}
 			}
 		}
 		}
 		err := sm.PushSecret(context.Background(), v.secret, v.pushData)
 		err := sm.PushSecret(context.Background(), v.secret, v.pushData)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			if err == nil {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
 			} else {
 			} else {
@@ -966,7 +966,7 @@ func TestAzureKeyVaultPushSecret(t *testing.T) {
 		if len(v.expectedData) > 0 {
 		if len(v.expectedData) > 0 {
 			sm.baseClient = v.mockClient
 			sm.baseClient = v.mockClient
 			out, err := sm.GetSecretMap(context.Background(), *v.ref)
 			out, err := sm.GetSecretMap(context.Background(), *v.ref)
-			if !utils.ErrorContains(err, v.expectError) {
+			if !esutils.ErrorContains(err, v.expectError) {
 				t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 				t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 			}
 			}
 			if err == nil && !reflect.DeepEqual(out, v.expectedData) {
 			if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1342,7 +1342,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
 		out, err := sm.GetSecret(context.Background(), *v.ref)
 		out, err := sm.GetSecret(context.Background(), *v.ref)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		}
 		if string(out) != v.expectedSecret {
 		if string(out) != v.expectedSecret {
@@ -1501,7 +1501,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
 		out, err := sm.GetSecretMap(context.Background(), *v.ref)
 		out, err := sm.GetSecretMap(context.Background(), *v.ref)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		}
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1644,7 +1644,7 @@ func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
 		sm.baseClient = v.mockClient
 		out, err := sm.GetAllSecrets(context.Background(), *v.refFind)
 		out, err := sm.GetAllSecrets(context.Background(), *v.refFind)
-		if !utils.ErrorContains(err, v.expectError) {
+		if !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 			t.Errorf(unexpectedError, k, err.Error(), v.expectError)
 		}
 		}
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
 		if err == nil && !reflect.DeepEqual(out, v.expectedData) {
@@ -1849,7 +1849,7 @@ func TestAzureKeyVaultSecretExists(t *testing.T) {
 		sm.baseClient = tc.mockClient
 		sm.baseClient = tc.mockClient
 		exists, err := sm.SecretExists(context.Background(), tc.pushData)
 		exists, err := sm.SecretExists(context.Background(), tc.pushData)
 
 
-		if !utils.ErrorContains(err, tc.expectError) {
+		if !esutils.ErrorContains(err, tc.expectError) {
 			if err == nil {
 			if err == nil {
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, tc.expectError)
 				t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, tc.expectError)
 			} else {
 			} else {

+ 2 - 2
pkg/provider/beyondtrust/provider.go

@@ -37,8 +37,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	esutils "github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	esutils "github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
 const (
 const (

+ 3 - 3
pkg/provider/bitwarden/client.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/utils/ptr"
 	"k8s.io/utils/ptr"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 const (
 const (
@@ -63,12 +63,12 @@ func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data e
 		return errors.New("remote key must be defined")
 		return errors.New("remote key must be defined")
 	}
 	}
 
 
-	value, err := utils.ExtractSecretData(data, secret)
+	value, err := esutils.ExtractSecretData(data, secret)
 	if err != nil {
 	if err != nil {
 		return fmt.Errorf("failed to extract secret data: %w", err)
 		return fmt.Errorf("failed to extract secret data: %w", err)
 	}
 	}
 
 
-	note, err := utils.FetchValueFromMetadata(NoteMetadataKey, data.GetMetadata(), "")
+	note, err := esutils.FetchValueFromMetadata(NoteMetadataKey, data.GetMetadata(), "")
 	if err != nil {
 	if err != nil {
 		return fmt.Errorf("failed to fetch note from metadata: %w", err)
 		return fmt.Errorf("failed to fetch note from metadata: %w", err)
 	}
 	}

+ 3 - 3
pkg/provider/bitwarden/provider.go

@@ -29,8 +29,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
 // Provider implements the External Secrets provider interface for Bitwarden Secrets Manager.
 // Provider implements the External Secrets provider interface for Bitwarden Secrets Manager.
@@ -114,7 +114,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 
 // newHTTPSClient creates a new HTTPS client with the given cert.
 // newHTTPSClient creates a new HTTPS client with the given cert.
 func newHTTPSClient(ctx context.Context, c client.Client, storeKind, namespace string, provider *esv1.BitwardenSecretsManagerProvider) (*http.Client, error) {
 func newHTTPSClient(ctx context.Context, c client.Client, storeKind, namespace string, provider *esv1.BitwardenSecretsManagerProvider) (*http.Client, error) {
-	cert, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, err := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   []byte(provider.CABundle),
 		CABundle:   []byte(provider.CABundle),
 		CAProvider: provider.CAProvider,
 		CAProvider: provider.CAProvider,
 		StoreKind:  storeKind,
 		StoreKind:  storeKind,

+ 4 - 4
pkg/provider/chef/chef.go

@@ -37,7 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 )
 )
 
 
 const (
 const (
@@ -177,7 +177,7 @@ func (providerchef *Providerchef) GetAllSecrets(_ context.Context, _ esv1.Extern
 
 
 // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
 // GetSecret returns a databagItem present in the databag. format example: databagName/databagItemName.
 func (providerchef *Providerchef) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 func (providerchef *Providerchef) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	if utils.IsNil(providerchef.databagService) {
+	if esutils.IsNil(providerchef.databagService) {
 		return nil, errors.New(errUninitalizedChefProvider)
 		return nil, errors.New(errUninitalizedChefProvider)
 	}
 	}
 
 
@@ -265,7 +265,7 @@ func getPropertyFromDatabagItem(jsonByte []byte, propertyName string) ([]byte, e
 // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
 // dataFrom.extract.key only accepts dataBagName, example : dataFrom.extract.key: myDatabag
 // databagItemName or Property not expected in key.
 // databagItemName or Property not expected in key.
 func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 func (providerchef *Providerchef) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	if utils.IsNil(providerchef.databagService) {
+	if esutils.IsNil(providerchef.databagService) {
 		return nil, errors.New(errUninitalizedChefProvider)
 		return nil, errors.New(errUninitalizedChefProvider)
 	}
 	}
 	databagName := ref.Key
 	databagName := ref.Key
@@ -298,7 +298,7 @@ func (providerchef *Providerchef) ValidateStore(store esv1.GenericStore) (admiss
 		return nil, fmt.Errorf(errChefStore, err)
 		return nil, fmt.Errorf(errChefStore, err)
 	}
 	}
 	// check namespace compared to kind
 	// check namespace compared to kind
-	if err := utils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
+	if err := esutils.ValidateSecretSelector(store, chefProvider.Auth.SecretRef.SecretKey); err != nil {
 		return nil, fmt.Errorf(errChefStore, err)
 		return nil, fmt.Errorf(errChefStore, err)
 	}
 	}
 	return nil, nil
 	return nil, nil

+ 3 - 3
pkg/provider/chef/chef_test.go

@@ -31,8 +31,8 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/chef/fake"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/chef/fake"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 const (
 const (
@@ -185,7 +185,7 @@ func TestChefGetSecret(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		sm.databagService = v.mockClient
 		sm.databagService = v.mockClient
 		out, err := sm.GetSecret(ctx, *v.ref)
 		out, err := sm.GetSecret(ctx, *v.ref)
-		if err != nil && !utils.ErrorContains(err, v.expectError) {
+		if err != nil && !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 		} else if v.expectError != "" && err == nil {
 		} else if v.expectError != "" && err == nil {
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)
@@ -238,7 +238,7 @@ func TestChefGetSecretMap(t *testing.T) {
 	for k, v := range successCases {
 	for k, v := range successCases {
 		pc.databagService = v.mockClient
 		pc.databagService = v.mockClient
 		out, err := pc.GetSecretMap(ctx, *v.ref)
 		out, err := pc.GetSecretMap(ctx, *v.ref)
-		if err != nil && !utils.ErrorContains(err, v.expectError) {
+		if err != nil && !esutils.ErrorContains(err, v.expectError) {
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 			t.Errorf("[case %d] expected error: %v, got: %v", k, v.expectError, err)
 		} else if v.expectError != "" && err == nil {
 		} else if v.expectError != "" && err == nil {
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)
 			t.Errorf("[case %d] expected error: %v, got: nil", k, v.expectError)

+ 2 - 2
pkg/provider/cloudru/secretmanager/client.go

@@ -31,8 +31,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	corev1 "k8s.io/api/core/v1"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 var (
 var (
@@ -138,7 +138,7 @@ func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind)
 		out[s.GetPath()] = secret
 		out[s.GetPath()] = secret
 	}
 	}
 
 
-	return utils.ConvertKeys(ref.ConversionStrategy, out)
+	return esutils.ConvertKeys(ref.ConversionStrategy, out)
 }
 }
 
 
 func (c *Client) accessSecret(ctx context.Context, key, version string) ([]byte, error) {
 func (c *Client) accessSecret(ctx context.Context, key, version string) ([]byte, error) {

+ 3 - 3
pkg/provider/cloudru/secretmanager/provider.go

@@ -36,8 +36,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 )
 
 
 func init() {
 func init() {
@@ -163,12 +163,12 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	}
 	}
 
 
 	ref := csmProvider.Auth.SecretRef
 	ref := csmProvider.Auth.SecretRef
-	err := utils.ValidateReferentSecretSelector(store, ref.AccessKeyID)
+	err := esutils.ValidateReferentSecretSelector(store, ref.AccessKeyID)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeyID: %w", err)
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeyID: %w", err)
 	}
 	}
 
 
-	err = utils.ValidateReferentSecretSelector(store, ref.AccessKeySecret)
+	err = esutils.ValidateReferentSecretSelector(store, ref.AccessKeySecret)
 	if err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeySecret: %w", err)
 		return nil, fmt.Errorf("invalid spec: auth.secretRef.accessKeySecret: %w", err)
 	}
 	}

+ 1 - 1
pkg/provider/cloudru/secretmanager/resolver.go

@@ -23,8 +23,8 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
 	"github.com/external-secrets/external-secrets/pkg/provider/cloudru/secretmanager/adapter"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 // KubeCredentialsResolver resolves the credentials from the Kubernetes secret.
 // KubeCredentialsResolver resolves the credentials from the Kubernetes secret.

+ 1 - 1
pkg/provider/conjur/auth_jwt.go

@@ -27,7 +27,7 @@ import (
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 )
 )
 
 
 // JwtLifespan is the duration in seconds for which the JWT token is valid (10 minutes).
 // JwtLifespan is the duration in seconds for which the JWT token is valid (10 minutes).

+ 4 - 4
pkg/provider/conjur/client.go

@@ -28,9 +28,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/pkg/esutils"
+	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/pkg/provider/conjur/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/conjur/util"
-	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 )
 
 
 var (
 var (
@@ -61,12 +61,12 @@ func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
 		return c.client, nil
 		return c.client, nil
 	}
 	}
 
 
-	prov, err := util.GetConjurProvider(c.store)
+	prov, err := conjurutil.GetConjurProvider(c.store)
 	if err != nil {
 	if err != nil {
 		return nil, err
 		return nil, err
 	}
 	}
 
 
-	cert, getCertErr := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
+	cert, getCertErr := esutils.FetchCACertFromSource(ctx, esutils.CreateCertOpts{
 		CABundle:   []byte(prov.CABundle),
 		CABundle:   []byte(prov.CABundle),
 		CAProvider: prov.CAProvider,
 		CAProvider: prov.CAProvider,
 		StoreKind:  c.store.GetKind(),
 		StoreKind:  c.store.GetKind(),

+ 2 - 2
pkg/provider/conjur/util/provider.go

@@ -14,9 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 limitations under the License.
 */
 */
 
 
-// Package util provides utility functions for working with Conjur providers.
+// Package conjurutil provides utility functions for working with Conjur providers.
 // It contains helper functions for validating and extracting Conjur provider configurations.
 // It contains helper functions for validating and extracting Conjur provider configurations.
-package util
+package conjurutil
 
 
 import (
 import (
 	"errors"
 	"errors"

Bu fark içinde çok fazla dosya değişikliği olduğu için bazı dosyalar gösterilmiyor