{% raw %}
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: rsa-decrypt-template-v2
spec:
  # ...
  target:
    template:
      engineVersion: v2
      data:
        # Decrypt a binary ciphertext using a private key stored in a Kubernetes Secret.
        # rsaDecrypt("SCHEME", "HASH", ciphertext, privateKeyPEM) decrypts the ciphertext (binary).
        password: '{{ rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary .privatekey }}'
  data:
  - secretKey: privatekey
    remoteRef:
      key: a-secretname-in-cluster
      property: privatekey
    sourceRef:
      storeRef:
        kind: SecretStore # or ClusterSecretStore
        name: kubernetes # name of the k8s provider
  - secretKey: password_encrypted_binary
    remoteRef:
      key: /credentials/password_encrypted_binary
  # If ciphertext is Base64 encoded, either decode in-template (b64dec) or use decodingStrategy: Base64
  # Example (decode here -> template receives binary):
  # - secretKey: password_encrypted_base64
  #   remoteRef:
  #     key: /credentials/password_encrypted_base64
  #     decodingStrategy: Base64
  # ...
{% endraw %}