{% raw %}
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: rsa-decrypt-template-v2
spec:
  # ...
  target:
    template:
      engineVersion: v2
      data:
        # Decrypt a binary ciphertext using a private key stored in a Kubernetes Secret.
        # getSecretKey("secret-name", "namespace", "key") reads the PEM private key.
        # rsaDecrypt("SCHEME", "HASH", ciphertext, privateKeyPEM) decrypts the ciphertext (binary).
        password: '{{ getSecretKey "my_secret_with_pk" "namespace_pk" "key_pk" | rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary }}'

        # Alternatives:
        # - If provider returns Base64, decode in-template with b64dec:
        # password: '{{ getSecretKey "my_secret_with_pk" "namespace_pk" "key_pk" | rsaDecrypt "RSA-OAEP" "SHA1" (.password_encrypted_base64 | b64dec) }}'
        # - Or set decodingStrategy: Base64 on the spec.data.remoteRef so template receives binary.
        # - Or use a private key pulled into this ExternalSecret (then use {{ .private_key }}):
        # password: '{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary }}'
  data:
  - secretKey: password_encrypted_binary
    remoteRef:
      key: /credentials/password_encrypted_binary
  # If ciphertext is Base64 encoded, either decode in-template (b64dec) or use decodingStrategy: Base64
  # Example (decode here -> template receives binary):
  # - secretKey: password_encrypted_base64
  #   remoteRef:
  #     key: /credentials/password_encrypted_base64
  #     decodingStrategy: Base64
  # ...
{% endraw %}